matchedData() returns unwanted fields for nested objects
See original GitHub issuematchedData() returns unwanted fields for nested objects, I think it should (or at least have an option) to not return a nested property if it is not specified in validator.
Route:
router.route('/users/:id/profile-settings').put(
[
param('id').exists(),
body('address')
.optional(),
body('address.displayStreet')
.optional()
.isBoolean()
],
controller.update
)
Request body:
{
"address": {
"test": true,
"displayStreet": true
}
}
matchedData() call:
let bodyData = matchedData(req, { locations: ['body'] })
Expected result:
{
"address": {
"displayStreet": true
}
}
Acquired result:
{
"address": {
"test": true,
"displayStreet": true
}
}
I think it shouldn’t return fields that are not specified in validator, so it shouldn’t return the test
field after calling matchedData() . Peharps, it’s a security concern, since it’s not a good idea to let unknown properties bypass your validations.
Issue Analytics
- State:
- Created 4 years ago
- Reactions:5
- Comments:5
Top Results From Across the Web
Needs to return only the matched nested objects with full ...
I want to return the full body or all the fields of the parent object i.e colleges and only those courses which matches...
Read more >express-validator - Bountysource
matchedData() returns unwanted fields for nested objects, I think it should (or at least have an option) to not return a nested property...
Read more >matchedData() - express-validator
Extracts data validated or sanitized by express-validator from the request and builds an object with them. Nested paths and wildcards are properly handled ......
Read more >39 JSON in Oracle Database
Oracle Database supports JavaScript Object Notation (JSON) data natively with ... path expression returning the matched data to the function or condition.
Read more >Nested field type | Elasticsearch Guide [8.5] | Elastic
The nested type is a specialised version of the object data type that allows arrays of objects to be indexed in a way...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I would like to add that my company is having the same problem here. We are currently mapping each property of our nested objects and it would be awesome if we could rely only on
matchedData()
call. Thank you.Strangely, I cloned the repo and wrote a test in
/src/matched-data.spec.ts
that I expected to fail based on the problems above.I investigated how I was handling my validation a bit more and it seems that the common thread here is that myself and @Igor-Lopes both are validating the top level object and its nested properties.
In my case, above, I was running
body('fields').isObject({ strict: true }),
then iterating over each field. This causedmatchedData
to not fulfill my expectations of removing non-validated fields.When I removed the top level
body('fields').isObject()
validation,matchedData()
worked as expected.