Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

After version 5.3.1 form arrays are mangled

See original GitHub issue

Upgrading to any version beyond 5.3.1 causes the req.body keys containing form arrays to become mangled into [object Object]. This affects not only in the custom() validator it also affects the value of req.body in the actual route handler for the request.

Example POST form data to express js endpoint:

name: some+name
alias: some+alias
param_data[id]: 12345
param_data[network_id]: 74634ae21

Console output using express-validator@5.3.1

req.body inside custom() {name: 'some name',
  alias: 'some alias',
  param_data: { id: '12345', network_id: '74634ae21' } }
req.body inside route { name: 'some name',
  alias: 'some alias',
  param_data: { id: '12345', network_id: '74634ae21' } }

Console output using express-validator@6.0.0 thru express-validator@6.2.0

req.body inside custom() { name: 'some name',
  alias: 'some alias',
  param_data: '[object Object]' }
req.body inside route { name: 'some name',
  alias: 'some alias',
  param_data: '[object Object]' }

Tested this in every version directly from 6.0.0 to 6.2.0 with the same results as above.

npm list --depth=0

proj@1.0.0 /path/to/proj
├── @babel/cli@7.6.2
├── @babel/core@7.6.2
├── @babel/node@7.6.2
├── @babel/plugin-transform-runtime@7.6.2
├── @babel/polyfill@7.6.0
├── @babel/preset-env@7.6.2
├── @babel/register@7.6.2
├── @babel/runtime@7.6.2
├── @babel/runtime-corejs2@7.6.2
├── aws-sdk@2.535.0
├── babelify@9.0.0
├── bluebird@3.5.5
├── body-parser@1.19.0
├── bootstrap@4.3.1
├── browserify@16.5.0
├── busboy@0.3.1
├── compression@1.7.4
├── config@1.31.0
├── connect-flash@0.1.1
├── connect-redis@3.4.2
├── cookie-parser@1.4.4
├── core-js@2.6.9
├── csurf@1.10.0
├── csv-express@1.2.2
├── debug@2.6.9
├── del@3.0.0
├── do-wrapper@3.25.3
├── es6-promise@4.2.8
├── express@4.17.1
├── express-session@1.16.2
├── express-validator@5.3.1
├── fast-csv@3.4.0
├── handlebars@4.1.2
├── intersection-observer@0.5.1
├── jquery@3.4.1
├── mdi@2.2.43
├── moment@2.24.0
├── mongoose@5.7.1
├── mongoose-bcrypt@1.6.0
├── mongoose-plugin-autoinc@1.1.9
├── mongoose-unique-validator@2.0.3
├── morgan@1.9.1
├── nanoid@1.3.4
├── node-sass@4.12.0
├── node-schedule@1.3.2
├── nopt@4.0.1
├── passport@0.4.0
├── passport-local@1.0.0
├── permission@1.1.0
├── popper.js@1.15.0
├── saslprep@1.0.3
├── serve-favicon@2.4.5
├── tmp@0.0.33
├── twig@0.10.3
├── uglify-js@3.6.0
├── underscore@1.9.1
├── url-search-params@1.1.0
└── yargs@11.1.0

Issue Analytics

State:
Created 4 years ago
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

gustavohenkecommented, Oct 12, 2019

What happens is that before v6, non-string values wouldn’t be sanitised, which was a major security breach; thus, now they are converted to string before being sanitised.

If you expect it to be an object, you should validate it like so.

0reactions

gustavohenkecommented, Jan 18, 2020

Sorry for the delay – you should be able to use wildcards to do this. E.g. check('param_data.*').trim()