You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some keywords in JSON Schemas can lead to very slow validation for certain data. These keywords include (but may be not limited to):
pattern and format for large strings - in some cases using maxLength can help mitigate it, but certain regular expressions can lead to exponential validation time even with relatively short strings (see ReDoS attack).
patternProperties for large property names - use propertyNames to mitigate, but some regular expressions can have exponential evaluation time as well.
uniqueItems for large non-scalar arrays - use maxItems to mitigate
Do NOT use allErrors in production
The suggestions above to prevent slow validation would only work if you do NOT use allErrors: true in production code (using it would continue validation after validation errors).
Unfortunately, express-openapi-validator overrides whatever the user attempts to set for allErrors:
AJV recommends setting option `allErrors` to `false` in production.
pdate `createAjv()` to respect the user's setting. Avoid introducing a
breaking change by defaulting to `true` when not defined by the user.
Add tests:
1. Make sure `AjvOptions` sets the value appropriately based on whether
the end user defined `allErrors` or not.
2. When validating requests, make sure the number of errors reported
(when multiple occur) is 1 when `allErrors` is `false`.
The `allErrors` configuration for OpenAPISchemaValidator is not changed
by this commit since that validation is for trusted content.
Fixescdimascio#954
Is your feature request related to a problem? Please describe.
In AJV's security considerations documentation, they write "Do NOT use allErrors in production":
Unfortunately, express-openapi-validator overrides whatever the user attempts to set for
allErrors
:express-openapi-validator/src/framework/ajv/index.ts
Lines 33 to 37 in f20b1c9
Note:
allErrors
is also set totrue
inOpenAPISchemaValidator
, but that is less concerning since it is just used for OpenAPI schema validation and not end user requests.Describe the solution you'd like
It should be possible for developers to set
allErrors: false
and express-openapi-validator will respect it.Describe alternatives you've considered
(none)
Additional context
This could help mitigate ReDOS attacks, at least to a small extent.
The text was updated successfully, but these errors were encountered: