[Feature Request] Expose the real error of the schema inside "contains"

[EvanZhang008]

Currently, the real error message inside contains will get lost. The end error we get is something like "expected at least one array item to match 'contains' schema", and it stops at "contains".

I think exposing the real error of the schema inside "contains" is a valid use case. Are there any technically difficulties and plans of doing this?

[erosb]

Are there any technically difficulties and plans of doing this?

There is no technical difficulty, but there is a security risk. The proper way to address this problem would be including the schema validation failure of every array item (since they may fail for different reasons) to properly justify that no items matched the "contains" schema. If a malicious user submits a large array that produces complex-enough failures during validation, then collecting all failures may cause an OOME. When implementing this library, I tried to be cautious about including arbitrary-sized data (defined by the size of the validated instance) in the validation results.

[EvanZhang008]

Thanks for the explanation, it does make sense.

I think the risk is also existed in other places like keyword items. It seems like a shared responsibility between validator and consumer. It would be nice to have an option to ack the risk and enable this.

Currently, Is there a way for us to enable this feature by passing some arguments? Or maybe ways to bypass this issue? One way I can think of as a consumer is to run validation again on our own for the schema inside the contains.

If not, I am wondering if you have any plans to support this as an optional feature?