Recursively replace all JSON `$ref`s with the code that they refer to

gavid · February 6, 2023, 7:49pm

In JSON, it is possible in some formats (e.g. OpenAPI, React-JSON-Schema-Forms etc.) to use the $ref keyword as a rough parallel of macro functionality (see here: JSON References | NIEM GitHub).

This creates an issue when decoding JSON to Elixir (e.g. with Poison or Jason). I may be processing a complex JSON structure, and instead of the data I need being under "someKey", I have "$ref": "/path/to/something".

What I need is a way to replace all $refs with the actual JSON data that they represent. I have no idea how to do this, especially since $refs can be nested (i.e. a $ref refers to a JSON object with other refs inside it etc.). Also, in OpenApi, it is possible to add a attributes for summary and description after the $ref, but it is not possible to add any other attributes (How to use JSON references ($refs)).This creates further parsing complexity.

Is there some existing library that I can use maybe?

codeanpeace · February 7, 2023, 12:50am

One approach would be preprocessing the JSON with a JS/TS library like json-schema-ref-parser to de-reference/resolve the references before decoding it in Elixir.

If you really wanted to do this in Elixir, I’d take a look at how the JS libraries handle tree traversal and re-implement it in Elixir. I imagine there would be opportunities for recursion.

Off the top of my head, Elixir’s built-in get_in/2 and update_in/3 functions in the Kernel module paired with the Access module will be helpful. There’s also a Pathex library that could be a good alternative for working with nested data structures.

Edit to add: this github issue might be relevant

github.com/open-api-spex/open_api_spex

How to resolve %Reference in Open API spec yml

opened 07:52AM - 06 Dec 22 UTC

lmbautista

Morning guys 👋🏻! First of all I'd like to thank you for the super awesome pro…ject this **Open API Spex** is 💪🏼 Secondly, please If I write any _nonsense_ thing about elixir let me apologize in advance as I started some days ago to code it 😅 Here are the doubt I bring and the context: A few days ago I started using this library to try to auto-generate some code based on embedded elixir code by using templates and already existing Open API spec in `yml` format. I dug into how to resolve the references and I just tried to use `OpenApiSpex.SchemaResolver.resolve_schema_modules()` as you mentioned in [**the README**](https://github.com/open-api-spex/open_api_spex#main-spec). However, that didn't work as I expected as it basically returns [**here**](https://github.com/open-api-spex/open_api_spex/blob/master/lib/open_api_spex/schema_resolver.ex#L251) the `%OpenApiSpex.Reference` By taking your implementation as an example, I built my own module to resolve this scenario within the schemas of a spec (indeed we could apply it in any place where we have to resolve a `Reference`), but I was wondering If it would make sense to have this feature in the project (maybe it's already there but I didn´t find it 😓) ```elixir # I replaced the current line https://github.com/open-api-spex/open_api_spex/blob/master/lib/open_api_spex/schema_resolver.ex#L251 # defp resolve_schema_modules_from_schema(ref = %Reference{}, schemas), do: {ref, schemas} defp resolve_schema_modules_from_schema(schema = %Reference{}, schemas) do case Reference.resolve_schema(schema, schemas) do %Schema{} = schema -> resolve_schema_modules_from_schema(schema, schemas) %Reference{} = schema -> schema _ = other -> other end end ``` Here I attached an example to be executed in the terminal [yaml_schema_resolver.zip](https://github.com/open-api-spex/open_api_spex/files/10163918/yaml_schema_resolver.zip) Thanks in advance for the support 🙇🏼

al2o3cr · February 7, 2023, 1:04am

Both of the examples you linked to are specifically about embedding references in schemas (either YAML- or JSON-formatted) to reduce duplication; I don’t believe a normal application decoding plain JSON would ever encounter a $ref outside of that context.

If you are expecting input like this, make sure to be careful about which URLs you follow and when. For instance, if you wrote a JSON parser that loaded these references before validating the shape of the data you could accidentally create a denial-of-service reflector. For instance, imagine a malicious payload like:

{
  "foo1": {
    "$ref": "http://example.com/oh_no1#foo"
  },
  "foo2": {
    "$ref": "http://example.com/oh_no2#foo"
  },
  "foo3": {
    "$ref": "http://example.com/oh_no3#foo"
  },
  "foo4": {
    "$ref": "http://example.com/oh_no4#foo"
  },
  ...etc for thousands of times
}

A single request to an API that tries to “follow” all those refs would be multiplied into thousands pointed at example.com.