Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[security] Validation not performed when input json is array
See original GitHub issueBug Report
Current behavior
When you encapsulate any Json input object as an array of that object, it automagically accepts it and will handle each subobject BUT the input validation will be skipped. This is a security issue.
Input Code
Example using
@UsePipes(ValidationPipe)
@IsNotEmpty()
mandatoryField: string
and input
[
{
"optionalField": "I'm the only field here"
}
]
Expected behavior
Either an automatic validation of each subobject OR an error telling the object does not validate according to the DTO.
Possible Solution
Do not accept any object that does not conform the DTO
Environment
Nest version: 6.6.6
Issue Analytics
- State:
- Created 4 years ago
- Comments:8 (4 by maintainers)
Top Results From Across the Web
JavaScript type confusion: Bypassed input validation ... - Snyk
Before discussing how an array value can be used to bypass some input validations and lead to a potential security vulnerability, ...
Read more >How to check if a string is a valid JSON string? - Stack Overflow
To check if something is an Array or Object (parsed JSON): ... if the string exists if (input) { var o = JSON.parse(input);...
Read more >Input Validation - OWASP Cheat Sheet Series
Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting ......
Read more >Check Whether a String is Valid JSON in Java - Baeldung
The common approach for checking if a String is a valid JSON is exception handling. Consequently, we delegate JSON parsing and handle the ......
Read more >What is a JSON Injection and How to Prevent it? - Comparitech
JSON injection attacks has been the cause of some security vulnerabilities and ... Since the application is not sanitizing the input data, ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
We rely on
class-validatorand this option is, unfortunately, disabled by default.To make developers life easier & apps less error prone, I have added an extra check (expected type === transformed type) to ensure that arrays won’t pass validation (since they shouldn’t be used in combination with regular DTOs and
ValidationPipeeither way). Update is already published (@nestjs/common@6.6.7).Thanks for the explanation!
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.