Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: validate entire array and not single elements #1280

Open
wants to merge 1 commit into
base: fedeci/fix-property-selection
Choose a base branch
from
Open

fix: validate entire array and not single elements #1280

wants to merge 1 commit into from

Conversation

fedeci
Copy link
Member

@fedeci fedeci commented Feb 16, 2024
edited

Description

To be merged after #1279
Closes #1230
Closes #1243
Related #755 (comment)

Maybe it is not the best time for doing this since we just released v7, but I changed my mind about forcing the entire array to comply with the validator.
We provide wildcards which are a great way to validate individual array items.
This PR is born because there are a lot of cases where validating individual items if not requested by the user leads to unexpected results.
Otherwise we can: add a param to body(''), check('')... to explicitly enable/disable array, or keep the current approach.

@gustavohenke wdyt?

To-do list

  • I have added tests for what I changed.
  • This pull request is ready to merge.

@coveralls
Copy link

Coverage Status

coverage: 100.0%. remained the same
when pulling d59da5b on fedeci/fix-array-validation
into ffd7994 on master.

@fedeci fedeci changed the title fix: validate entire array and not only fix: validate entire array and not single elements Feb 16, 2024
@darkman82
Copy link

darkman82 commented Feb 16, 2024
edited

Hi,
currently, to avoid unexpected results with arrays passed when single value is expected, we are forced to:

  • use isString() on each field for the query string
  • use isString() or not().isArray() for the body according to expected field type

FYI: even the AI (ChatGPT) understood that a standard behavior should not include the use of that workaround on all fields,
as, for example, when expecting a single Boolean value in the body it suggests: v.body('active').isBoolean() while the current approach must be v.body('active').not().isArray().isBoolean().

@fedeci
Copy link
Member Author

fedeci commented Feb 16, 2024
edited

I know this is a problem and I want to solve it as fast as possible, on a minor version possibly, even if that requires a breaking change.

p.s. ChatGPT is trained on data of [email protected], so whatever it is saying it is for that version of this library not 7.0.0.

@darkman82
Copy link

darkman82 commented Feb 16, 2024
edited

Hi,
I think this is not a matter of training, even tough v6 and v7 share the same behavior regarding the by-pass problem,
it's the common sense that suggests that validators should expect single values unless specified otherwise.

I discovered this problem by accident in 2019, after I had mistakenly duplicated the parameters in the query string. Then I realized that the issue was even more widespread, and obviously it crashed the entire logic after the validation.

If this was a wanted behavior, it is not obvious to me, nor to the AI.

@tuliomir tuliomir mentioned this pull request Feb 22, 2024
Merged
1 task
@gustavohenke gustavohenke changed the base branch from master to fedeci/fix-property-selection February 24, 2024 11:37
gustavohenke
gustavohenke requested changes Feb 24, 2024
View reviewed changes
package.json
@@ -34,7 +34,8 @@
"prepublishOnly": "tsc",
"postpublish": "npm run docs:publish",
"test": "jest",
"lint": "eslint --ignore-path .gitignore 'src/**/*.ts' && prettier -c ."
"lint": "eslint --ignore-path .gitignore 'src/**/*.ts' && prettier -c .",
"prettier": "prettier -w ."
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit 🤓

Suggested change
"prettier": "prettier -w ."
"lint:fix": "prettier -w ."

Then the equivalent command from eslint can be added too, if you like.

src/express-validator.spec.ts
@@ -183,4 +183,19 @@ describe('High level tests', () => {
const result = await body('foo.*.nop').exists().run(req);
expect(result.isEmpty()).toEqual(true);
});
it('should error array if no wildcard is used', async () => {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar feeling to #1279 (comment).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gustavohenke gustavohenke gustavohenke requested changes

Assignees
No one assigned
Labels
⚠️ Breaking PR: bug fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Unexpected change in behaviour v6/v7 for .notEmpty() Empty array causing false positive
4 participants
@fedeci @coveralls @darkman82 @gustavohenke