Skip to content

Error on non-number limit rather than ignoring #207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jdleesmiller wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Error on non-number limit rather than ignoring #207

jdleesmiller wants to merge 6 commits into from
+53 −26

Conversation

@jdleesmiller
Copy link

@jdleesmiller jdleesmiller commented Jun 22, 2019

Currently if you set a configuration limit, such as fileSize, to a string, the default is silently used instead.

Clearly passing a string is wrong (mea culpa!), but it is an easy mistake to make, because these limits are often set from environment variables. The result is that fileSize gets set to its default value of Infinity rather than the intended limit in the env var, leaving the app with no limit on the size of the files it would try to process.

A few seconds of searching on GitHub reveals I am not alone in making this blunder:

In my case, I had an app using node-config:

limits: {
    files: 1,
    fileSize: config.get('maxFileUploadSize')
  }

which was OK when the default limit came from a JSON config file and was a number. But then one day I added an environment variable override, so config.get returned a string, which caused fileSize to actually get the default value of Infinity.

Here I've proposed making it an error to do this. Doing so without a lot of repetition required making a helper function to get the limit from config and validate it.

I think this would be considered a breaking change. Some apps that are currently running insecurely without upload limits would instead crash on boot. That's not great either, of course, but I think on balance it would be better to fail fast rather than to run silently in an unsafe way.

mscdex
mscdex reviewed Jun 22, 2019
View reviewed changes
mscdex
mscdex reviewed Jun 22, 2019
View reviewed changes
mscdex
mscdex reviewed Jun 22, 2019
View reviewed changes
mscdex
mscdex reviewed Jun 22, 2019
View reviewed changes
mscdex
mscdex reviewed Jun 22, 2019
View reviewed changes
mscdex
mscdex reviewed Jun 22, 2019
View reviewed changes
jdleesmiller and others added 2 commits June 22, 2019 19:12
@jdleesmiller @mscdex
Apply suggestions from code review
c38b248 
Co-Authored-By: mscdex <mscdex@users.noreply.github.com>
@jdleesmiller
Add tests for null and NaN limits
0c0f9ce
@jdleesmiller
Copy link
Author

jdleesmiller commented Jun 22, 2019

Thanks for the quick feedback @mscdex ! I have accepted code review suggestions and added the tests for null and NaN.

charmander
charmander reviewed Jun 23, 2019
View reviewed changes
@jdleesmiller
Copy link
Author

jdleesmiller commented Jun 23, 2019

@charmander @mscdex Thanks! Now using strictEqual.

@Uzlopak Uzlopak mentioned this pull request Nov 29, 2021
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mscdex mscdex mscdex left review comments

+1 more reviewer

@charmander charmander charmander left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jdleesmiller @mscdex @charmander