Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Specify maximum errors
See original GitHub issueWhat version of Ajv you are you using?
6.12.3
What problem do you want to solve?
We recently received a CodeQL security vulnerability relating to setting allErrors: true in AJV because this can cause resource exhaustion if a nefarious payload is provided.
It would be ideal to be able to specify a specific upper limit of errors before validation is exited. Otherwise, we have to specify allErrors: false and users have to continually re-submit their payloads because only one errors is returned at a time, which is a poor user experience.
It would be best if we can specify an upper limit (like 1000 errors) so that users can recieve more than one error at a time, and we ensure that a resource exhaustion attack is mitigated based on the available hardware.
What do you think is the correct solution to problem?
Add a new property to Ajv options that specifies the maximum number of errors allowed, and then use that in the validation function to return early once reached.
Will you be able to implement it?
Yes, if I can get some guidance on where this validation takes place.
Issue Analytics
- State:
- Created a year ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@epoberezkin Ok - appreciate the quick reply.
Re proposed feature - it’s non-trivial, it will affect all code generation, and likely to have a negative performance impact. Let’s keep the issue open and see if there is more interest in this feature, right now it doesn’t seem like a good value tbh.
Assuming API users are developers you can always provide a sandbox server for testing to receive all errors, and you should not really use API to generate user facing errors - for this purpose you can run Ajv (or pre-compiled schemas) client side.