Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

matchedData() returns unwanted fields for nested objects

See original GitHub issue

matchedData() returns unwanted fields for nested objects, I think it should (or at least have an option) to not return a nested property if it is not specified in validator.

Route:

router.route('/users/:id/profile-settings').put(
    [
      param('id').exists(),
      body('address')
        .optional(),
      body('address.displayStreet')
        .optional()
        .isBoolean()
    ],
    controller.update
  )

Request body:

{
    "address": {
    	"test": true,
        "displayStreet": true
    }
}

matchedData() call:

let bodyData = matchedData(req, { locations: ['body'] })

Expected result:

{
    "address": {
        "displayStreet": true
    }
}

Acquired result:

{
    "address": {
        "test": true,
        "displayStreet": true
    }
}

I think it shouldn’t return fields that are not specified in validator, so it shouldn’t return the test field after calling matchedData() . Peharps, it’s a security concern, since it’s not a good idea to let unknown properties bypass your validations.

Issue Analytics

State:
Created 4 years ago
Reactions:5
Comments:5

Top GitHub Comments

2reactions

andrefilipesilva73commented, May 5, 2021

I would like to add that my company is having the same problem here. We are currently mapping each property of our nested objects and it would be awesome if we could rely only on matchedData() call. Thank you.

0reactions

imjaredcommented, Aug 11, 2021

Strangely, I cloned the repo and wrote a test in /src/matched-data.spec.ts that I expected to fail based on the problems above.

it('excludes non-matched nested data', done => {
  const req = {
    body: {
      foo: {
        bar: 'baz',
        qux: 4,
        friend: {
          text: 'myfriend',
        },
      },
    },
  };

  body('foo.bar').isString()(req, {}, () => {
    expect(matchedData(req)).toEqual({
      foo: { bar: 'baz' },
    });
    done();
  });
});

I investigated how I was handling my validation a bit more and it seems that the common thread here is that myself and @Igor-Lopes both are validating the top level object and its nested properties.

In my case, above, I was running body('fields').isObject({ strict: true }), then iterating over each field. This caused matchedData to not fulfill my expectations of removing non-validated fields.

When I removed the top level body('fields').isObject() validation, matchedData() worked as expected.

Top Results From Across the Web

Needs to return only the matched nested objects with full ...

I want to return the full body or all the fields of the parent object i.e colleges and only those courses which matches...

express-validator - Bountysource

matchedData() returns unwanted fields for nested objects, I think it should (or at least have an option) to not return a nested property...

matchedData() - express-validator

Extracts data validated or sanitized by express-validator from the request and builds an object with them. Nested paths and wildcards are properly handled ......

39 JSON in Oracle Database

Oracle Database supports JavaScript Object Notation (JSON) data natively with ... path expression returning the matched data to the function or condition.

Nested field type | Elasticsearch Guide [8.5] | Elastic

The nested type is a specialised version of the object data type that allows arrays of objects to be indexed in a way...