fast-json-stringify is not a validator #558
Conversation
|
Does it mean that we can drop all unnecessary validation checks in the next fastify major release? Because if not, then it's better to specify which validation check we do. |
|
It means that we offer no guarantees we will do any checks. If we want to do checks it's up to us. |
|
Why do we want to make some validation checks that are not used in serialization (they are just validation checks) and don't tell users about them? |
|
I want to say that validation in the fast-json-stringify is the main and one of the most difficult questions for me right now. We have a thread where we discuss how it should work in the next major. I agree that FJS doesn't guarantee that your input or output will match 100% of the schema, and I'm ok with such a comment. But the question is much deeper, and if we say that "fast-json-stringify makes no claim to validate the incoming data against the schema" it's a little bit strange for me that we throw an error if your data doesn't match the schema in some cases. |
README.md
Outdated
| The _data_ that `fast-json-stringify` serializes is trusted too. In other terms, | ||
| fast-json-stringify makes no claim to validate the incoming data against the schema. |
There was a problem hiding this comment.
The _data_ that `fast-json-stringify` serializes should be a trusted source.
Developer should take their responsibility to sanitize the _data_ before passing
to `fast-json-stringify`. The validation in this package is only against the `schema`
but not `malicious code`.
There was a problem hiding this comment.
Would it be better? @ivan-tymoshenko
There was a problem hiding this comment.
What do you mean by malicious code? Whatever it means I agree with this point, because FJS doesn't check your data for any malicious code. But I think you talking about something different. Sanitizing is not validation.
There was a problem hiding this comment.
Ok, I saw the original security report. I would say that: fast-json-stringify guarantees that you will get a valid output only if your input matches the schema or can be coerced to the schema. If your input doesn't match the schema, you will get undefined behavior.
|
Is it also worth using GitHub's info or warning highlighting syntax, to draw more attention to it? |
I would rather not rely on GitHub specific rendering syntax. Callouts with generic Markdown are easy enough -- https://github.com/fastify/fastify/blob/675b00d6ca7a7eeaad073e6469c70b50fcd532eb/docs/Guides/Getting-Started.md?plain=1#L94-L121 |
|
LGTM |
|
@climba03003 PTAL |
|
Ah the good old undefined behaviour :) |
Let's make it clear that fast-json-stringify is not a validator and the caller takes all the responsibilities on the safety of the data being rendered.
Checklist
and the Code of conduct