Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

An array in the querystring can (by)pass the validation if the first element is correct, but useless when expecting a single value. #755

Closed
darkman82 opened this issue Aug 6, 2019 · 5 comments
Closed

An array in the querystring can (by)pass the validation if the first element is correct, but useless when expecting a single value. #755

darkman82 opened this issue Aug 6, 2019 · 5 comments
Labels
help wanted
Milestone
v7.0.0

Comments

@darkman82
Copy link

darkman82 commented Aug 6, 2019
edited

Hi guys,

Let's suppose we had a GET like that http://localhost:3000/test?type=new&type=foo

// Ver 6.1.1
router.get('/',
    v.query('type').isIn(['new','renewal','upgrade'])
    function (req, res) {
        const errors = v.validationResult(req);
        if (!errors.isEmpty())
             return res.status(422).json({errors: errors.array()});
        return res.status(200).json(req.matchedData);
    }
);
// Result: {"type":["new","foo"]}
// Expected: Validation failure (or sanitization)

It seems that this isn't a desired behavior as this would force us to do a further sanitization in order to consume the single parameter instead of the array.
Is that correct?

Thank you
@gustavohenke
Copy link
Member

Duplicate of #704

@gustavohenke gustavohenke marked this as a duplicate of #704 Aug 20, 2019
@darkman82
Copy link
Author

As a workaround we had to use not().isArray() for all fields or sanitization, eg:

v.query('currency').optional().not().isArray().isIn(['EUR','GBP','USD'])
// toInt() it's enough for numeric values
v.query('months').isIn(['1','3','6','12']).toInt(),

@fedeci
Copy link
Member

fedeci commented Feb 1, 2021

Also related to #791

@fedeci fedeci mentioned this issue Feb 23, 2021
Closed
9 tasks
@gustavohenke gustavohenke added this to the v7.0.0 milestone Apr 15, 2023
@gustavohenke
Copy link
Member

Hi hi, https://github.com/express-validator/express-validator/releases/tag/v7.0.0 is out with a fix for this 🙂

@rpt-uk-github rpt-uk-github mentioned this issue Dec 12, 2023
Merged
@darkman82
Copy link
Author

darkman82 commented Feb 8, 2024
edited

Hi,
Upgraded to 7.0.0.

You can still by-pass the validation as long as ALL elements are correct: http://localhost:3000/test?type=new&type=new

// Ver 7.0.0
router.get('/',
    v.query('type').isIn(['new','renewal','upgrade'])
    function (req, res) {
        const errors = v.validationResult(req);
        if (!errors.isEmpty())
             return res.status(422).json({errors: errors.array()});
        return res.status(200).json(req.matchedData);
    }
);

// Result: {"type":["new","new"]}
// Expected: Validation failure

Workaround: v.query('type').not().isArray().isIn(['new','renewal','upgrade'])

Note:
The vast majority of cases in query string is related to single values, so this should be the default expecting behavior as those expecting an array, can use toArray() to transform single values into array.

@fedeci fedeci mentioned this issue Feb 16, 2024
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
v7.0.0
Development

No branches or pull requests
3 participants
@gustavohenke @fedeci @darkman82