BIT-APISIX-2022-25757 Apache APISIX: the body_schema check in request-validation plugin can be bypassed

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the bodyschema validation in the request-validation plugin. For example,...