-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
number().integer() can fail for values outside MAX_SAFE_INTEGER #1143
Comments
I would argue that this is a failing in Node (because the number is outside of the recognized range of integers): > const tooBig = 90071992547409910.1;
> tooBig
90071992547409900 If Node can't even assign the value to a variable and remember it correctly, I'm not sure we can expect |
FWIW, number().integer() uses Hoek.isInteger behind the scenes, which uses 3 checks: typeof value === 'number' &&
parseFloat(value) === parseInt(value, 10) &&
!isNaN(value) Node just can't hang, which is why this is passing validation: > typeof 90071992547409910.1
'number'
> parseInt(90071992547409910.1)
90071992547409900
> parseFloat(90071992547409910.1)
90071992547409900
> parseFloat(90071992547409910.1) === parseInt(90071992547409910.1)
true |
I think it would be preferable that joi always fails if |
Probably the typeof value === 'number' && Number.isSafeInteger(value) FYI, I validated that node 4 supports |
The problem also lies in joi, if you don't have |
That part I expect as a JS quirk. It's only the integer handling that bugs me. |
I'm seeing this as the API consumer, if you provide such a number and the backend is not able to parse it correctly, it should reject it, whether you asked for an integer or not. |
The problem is that there are valid use-cases for numbers outside the safe integer range, and it is part of how floating point works. "Fixing" the range for all numbers is likely to cause problems for such use-cases, while it most likely won't make any difference for those outside it. Essentially, number() should just be |
@nlf thoughts ? Are you willing to patch hoek or do I add this check in joi's |
sounds like this should probably get patched in hoek |
Now it's been discussed on hoek, I'm tempted to qualify this as a bug, as previous behavior was unsafe, thoughts ? (meaning patch version) |
What I originally reported is definitely a bug as it accepted a number followed by a dot + another number, which will never be an integer. Regarding the specific fix, I would tend to agree on treating this as a bugfix, though as usual it might break existing code that inadvertently relies on this. For semver purposes, it comes down to how it is described in the api, which is currently:
|
shouldn't this be tagged as a we use |
If you provide |
i agree, this isn't a breaking change. while it may be a change in behavior, it's fixing a bug. with the previous behavior if you had a validator such as the one in your example in a handler in hapi, and you were to make a request with an id like the one in your example, by default the id would've been changed and you would've been potentially manipulating an object you didn't expect. this fix pushes you to find these potential issues and find a safer way to validate your inputs to make sure you're getting reliable and consistent results. it may be inconvenient right now, but it's a win overall and fixes what could be a pretty significant bug in some cases. |
I agree wholeheartedly. |
my mistake was not actually understanding how @nlf, on a second thought, i totally agree with you. thanks for all your responses :) |
Context
What are you trying to achieve or the steps to reproduce ?
Which result you had ?
What did you expect ?
Some kind of error, like:
The text was updated successfully, but these errors were encountered: