Summary

The League\OpenAPIValidation\PSR7\Validators\BodyValidator\MultipartValidator class does not properly validate collections of file objects that have a combination of binary (files) and non-binary data.

Here's an OpenAPI example schema that illustrates the problem:

  /multipart/files/collections:
    post:
      requestBody:
        content:
          multipart/form-data:
            schema:
              type: object
              properties:
                files:
                  type: array 
                  items:
                    type: object
                    required:
                      - caption
                      - file
                    properties:
                      caption:
                        type: string
                      file:
                        type: string
                        format: binary

Problem Description

In MultipartValidator :: validateServerRequestMultipart() for the multipart/form-data example above, the PSR7 message body array is merged with the files array using the built-in array_replace function. This causes the files array to replace the body array at the root element (because they have the same element hierarchy) and to wind up with an object that's missing some of the required properties, which fails validation.

Any array of file objects nested one or more levels deep with at least one other non-binary property (as shown in the schema above) will fail validation even though it's a valid schema definition.

Problem Solution

Correct the issue by merging the array elements recursively rather than at the root element. I've forked the repo, applied the fix and added tests for this specific case. I'll be issuing a PR for the commits in the hopes that it'll get reviewed and merged into master (with sufficient attention brought to the issue).