Fix prefix matching to respect path segment boundaries (#468)

ydah · web-flow · commit 7ff2876aef22 · 2026-02-12T19:20:28.000-06:00
This PR fixes prefix matching so a configured prefix like /v1 only matches /v1 and /v1/..., and does not incorrectly match /v11/....
diff --git a/lib/committee/schema_validator.rb b/lib/committee/schema_validator.rb
@@ -12,7 +12,11 @@ def request_media_type(request)
       def build_prefix_regexp(prefix)
         return nil unless prefix
 
-        /\A#{Regexp.escape(prefix)}/.freeze
+        if prefix == "/" || prefix.end_with?("/")
+          /\A#{Regexp.escape(prefix)}/.freeze
+        else
+          /\A#{Regexp.escape(prefix)}(?=\/|\z)/.freeze
+        end
       end
     end
   end
diff --git a/lib/committee/schema_validator/hyper_schema/router.rb b/lib/committee/schema_validator/hyper_schema/router.rb
@@ -6,7 +6,7 @@ class HyperSchema
       class Router
         def initialize(schema, validator_option)
           @prefix = validator_option.prefix
-          @prefix_regexp = /\A#{Regexp.escape(@prefix)}/.freeze if @prefix
+          @prefix_regexp = ::Committee::SchemaValidator.build_prefix_regexp(@prefix)
           @schema = schema
 
           @validator_option = validator_option
diff --git a/test/middleware/request_validation_open_api_3_test.rb b/test/middleware/request_validation_open_api_3_test.rb
@@ -254,6 +254,14 @@ def app
     assert_equal 200, last_response.status
   end
 
+  it "ignores similar prefix paths outside the prefix in strict mode" do
+    @app = new_rack_app(prefix: "/v1", schema: open_api_3_schema, strict: true)
+    params = { "string_post_1" => 1 }
+    header "Content-Type", "application/json"
+    post "/v11/characters", JSON.generate(params)
+    assert_equal 200, last_response.status
+  end
+
   it "don't check prefix with no option" do
     @app = new_rack_app(schema: open_api_3_schema)
     params = { "string_post_1" => 1 }
diff --git a/test/middleware/request_validation_test.rb b/test/middleware/request_validation_test.rb
@@ -263,6 +263,13 @@ def app
     assert_equal 200, last_response.status
   end
 
+  it "ignores similar prefix paths outside the prefix in strict mode" do
+    @app = new_rack_app(prefix: "/v1", schema: hyper_schema, strict: true)
+    header "Content-Type", "application/json"
+    post "/v11/apps", JSON.generate({ "name" => 1 })
+    assert_equal 200, last_response.status
+  end
+
   it "routes to paths not in schema" do
     @app = new_rack_app(schema: hyper_schema)
     get "/not-a-resource"
diff --git a/test/schema_validator/hyper_schema/router_test.rb b/test/schema_validator/hyper_schema/router_test.rb
@@ -43,6 +43,11 @@
     refute_nil link
   end
 
+  it "does not include a similar prefix path segment" do
+    link, _ = hyper_schema_router(prefix: "/kpi").includes?("/kpi2/apps")
+    assert_nil link
+  end
+
   it "provides named parameters" do
     link, param_matches = open_api_2_router.find_link("GET", "/api/pets/fido")
     refute_nil link
diff --git a/test/schema_validator_test.rb b/test/schema_validator_test.rb
@@ -20,4 +20,12 @@
     media_type = Committee::SchemaValidator.request_media_type(request)
     assert_equal 'multipart/form-data', media_type
   end
+
+  it "builds prefix regexp with a path segment boundary" do
+    regexp = Committee::SchemaValidator.build_prefix_regexp("/v1")
+
+    assert regexp.match?("/v1")
+    assert regexp.match?("/v1/characters")
+    refute regexp.match?("/v11/characters")
+  end
 end
