Disable allErrors in default Ajv config

Unfortunately `allErrors: true` is a DoS attack vector for certain schemas. See: ajv-validator/ajv@334071a Ref: https://hackerone.com/reports/903521
fastify · Jun 29, 2020 · 627096f · 627096f
1 parent 7788b90
commit 627096f
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 23 deletions.
diff --git a/docs/Validation-and-Serialization.md b/docs/Validation-and-Serialization.md
@@ -270,7 +270,6 @@ Fastify's [baseline ajv configuration](https://github.com/epoberezkin/ajv#option
   removeAdditional: true, // remove additional properties
   useDefaults: true, // replace missing properties and items with the values from corresponding default keyword
   coerceTypes: true, // change data type of data to match type keyword
-  allErrors: true,   // check for all errors
   nullable: true     // support keyword "nullable" from Open API 3 specification.
 }
 ```
@@ -287,7 +286,6 @@ const ajv = new Ajv({
   removeAdditional: true,
   useDefaults: true,
   coerceTypes: true,
-  allErrors: true,
   nullable: true,
   // any other options
   // ...
@@ -522,7 +520,7 @@ Inline comments in the schema below describe how to configure it to show a diffe
 ```js
 const fastify = Fastify({
   ajv: {
-    customOptions: { allErrors: true, jsonPointers: true },
+    customOptions: { jsonPointers: true },
     plugins: [
       require('ajv-errors')
     ]
@@ -569,11 +567,7 @@ If you want to return localized error messages, take a look at [ajv-i18n](https:
 ```js
 const localize = require('ajv-i18n')
 
-const fastify = Fastify({
-  ajv: {
-    customOptions: { allErrors: true }
-  }
-})
+const fastify = Fastify()
 
 const schema = {
   body: {

diff --git a/lib/schema-compilers.js b/lib/schema-compilers.js
@@ -31,7 +31,9 @@ function ValidatorCompiler (externalSchemas, options, cache) {
     coerceTypes: true,
     useDefaults: true,
     removeAdditional: true,
-    allErrors: true,
+    // Explicitly set allErrors to `false`.
+    // When set to `true`, a DoS attack is possible.
+    allErrors: false,
     nullable: true
   }, options.customOptions, { cache }))
 

diff --git a/test/schema-serialization.test.js b/test/schema-serialization.test.js
@@ -245,7 +245,7 @@ test('Shared schema should be pass to serializer and validator ($ref to shared s
       t.strictEqual(res.statusCode, 400)
       t.deepEqual(res.json(), {
         error: 'Bad Request',
-        message: 'body[0].location.email should match format "email", body[1].location.email should match format "email"',
+        message: 'body[0].location.email should match format "email"',
         statusCode: 400
       })
     })

diff --git a/test/validation-error-handling.test.js b/test/validation-error-handling.test.js
@@ -55,10 +55,10 @@ test('should fail immediately with invalid payload', t => {
     url: '/'
   }, (err, res) => {
     t.error(err)
-    t.deepEqual(JSON.parse(res.payload), {
+    t.deepEqual(res.json(), {
       statusCode: 400,
       error: 'Bad Request',
-      message: "body should have required property 'name', body should have required property 'work'"
+      message: "body should have required property 'name'"
     })
     t.strictEqual(res.statusCode, 400)
   })
@@ -115,19 +115,12 @@ test('should be able to attach validation to request', t => {
   }, (err, res) => {
     t.error(err)
 
-    t.deepEqual(JSON.parse(res.payload), [{
+    t.deepEqual(res.json(), [{
       keyword: 'required',
       dataPath: '',
       schemaPath: '#/required',
       params: { missingProperty: 'name' },
       message: 'should have required property \'name\''
-    },
-    {
-      keyword: 'required',
-      dataPath: '',
-      schemaPath: '#/required',
-      params: { missingProperty: 'work' },
-      message: 'should have required property \'work\''
     }])
     t.strictEqual(res.statusCode, 400)
   })
@@ -154,7 +147,7 @@ test('should respect when attachValidation is explicitly set to false', t => {
     t.deepEqual(JSON.parse(res.payload), {
       statusCode: 400,
       error: 'Bad Request',
-      message: "body should have required property 'name', body should have required property 'work'"
+      message: "body should have required property 'name'"
     })
     t.strictEqual(res.statusCode, 400)
   })
@@ -184,7 +177,7 @@ test('Attached validation error should take precendence over setErrorHandler', t
     url: '/'
   }, (err, res) => {
     t.error(err)
-    t.deepEqual(res.payload, "Attached: Error: body should have required property 'name', body should have required property 'work'")
+    t.deepEqual(res.payload, "Attached: Error: body should have required property 'name'")
     t.strictEqual(res.statusCode, 400)
   })
 })
@@ -277,7 +270,7 @@ test('should return a defined output message parsing AJV errors', t => {
     url: '/'
   }, (err, res) => {
     t.error(err)
-    t.strictEqual(res.payload, '{"statusCode":400,"error":"Bad Request","message":"body should have required property \'name\', body should have required property \'work\'"}')
+    t.strictEqual(res.payload, '{"statusCode":400,"error":"Bad Request","message":"body should have required property \'name\'"}')
   })
 })