Merge pull request #170 from peterjanes/master

JamesMessinger · web-flow · commit cbac12df49d2 · 2020-08-01T04:37:18.000-05:00
Don't allow non-numeric characters when parsing the `number` type.
diff --git a/lib/helpers/json-schema.js b/lib/helpers/json-schema.js
@@ -278,7 +278,7 @@ function parseNumber (schema, value, propPath) {
   value = getValueToValidate(schema, value);
 
   // Make sure it's a properly-formatted number
-  let parsedValue = parseFloat(value);
+  let parsedValue = value === "" ? NaN : Number(value);
   if (_.isNaN(parsedValue) || !_.isFinite(parsedValue)) {
     throw ono({ status: 400 }, '"%s" is not a valid numeric value', propPath || value);
   }
diff --git a/test/specs/json-schema/parse/parse-number.spec.js b/test/specs/json-schema/parse/parse-number.spec.js
@@ -177,4 +177,19 @@ describe("JSON Schema - parse number params", () => {
       expect(err.message).to.contain('Missing required header parameter "Test"');
     }));
   });
+
+  it("should be more strict than parseFloat()", (done) => {
+    let schema = {
+      type: "number",
+      required: true
+    };
+
+    let express = helper.parse(schema, "1z", done);
+
+    express.use("/api/test", helper.spy((err, req, res, next) => {
+      expect(err).to.be.an.instanceOf(Error);
+      expect(err.status).to.equal(400);
+      expect(err.message).to.contain('"1z" is not a valid numeric value');
+    }));
+  });
 });

Original file line number	Diff line number	Diff line change
`@@ -278,7 +278,7 @@ function parseNumber (schema, value, propPath) {`
`278`	`278`	`value = getValueToValidate(schema, value);`
`279`	`279`
`280`	`280`	`// Make sure it's a properly-formatted number`
`281`		`- let parsedValue = parseFloat(value);`
	`281`	`+ let parsedValue = value === "" ? NaN : Number(value);`
`282`	`282`	`if (_.isNaN(parsedValue) \|\| !_.isFinite(parsedValue)) {`
`283`	`283`	`throw ono({ status: 400 }, '"%s" is not a valid numeric value', propPath \|\| value);`
`284`	`284`	`}`