-
-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Form: type? raises exception for unexpected Ruby type #135
Comments
Hi Luca – the issue here is that form schemas are intended to receive input from (rack-processed) form posts only. So this means the data should be: a top-level hash with string keys whose values are either strings, similarly structured hashes, or arrays of strings or hashes. The input you're passing here (a naked Since it's an unsupported use case, I think this is a case you probably don't need to include in your suite of validation tests? |
@timriley I'm simulating form hijacking with this test. Please let me explain with an example. We have this component on the server side: form = Dry::Validation.Form do
required(:book).schema do
required(:price).filled(:int?)
end
end A malicious user forged HTML on their browser: <form action="/books" method="POST" accept-charset="utf-8" id="book-form">
<div>
<input type="checkbox" name="book[price][]" value="1">
<input type="checkbox" name="book[price][]" value="2">
</div>
<button type="submit">Create</button>
</form> If they select one or more of the checkboxes and submit the form, we'll receive the following data: {"book"=>{"price"=>["1", "2"]}} We expected This scenario explode with the error reported above: |
This is a bug in dry-types coercion! We blindly call |
I'm gonna close this in favor of dry-rb/dry-types#86 |
This is related to: #132
Please note that
Schema
works fine.The text was updated successfully, but these errors were encountered: