You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I use Celebrate (Joi) to validate the endpoints input and Boom (made by the same person who made Joi) to report errors. With boom, the error information is not the error output. It has a special output.payload sub object which you send back to the client, while the rest of the info is for your own use (like writing to log files). I make sure to throw only Boom errors in my code, however Joi and system errors are not.. so my API error handler look like:
Yeah that's a fine way to do it. In your case, using your own error handler would probably be the way to go as I'm not planning on introducing boom into this module. This bug is for specifically Celebrate.errors() which leaks the entire validated object back to the client.
I'll probably just end up copying what hapi does when it formats joi errors.
After reviewing this, I've removed the bug label. Worse case scenario is the client gets back the sent object which they've already got. So no big deal.
The current error handler spits back the entire Joi validation message which could be a pretty bad information leak as it contains the entire object.
The hapi response looks something like this:
The text was updated successfully, but these errors were encountered: