Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: zod zccepts invalid url: z.string().url().safeParse("a:") #2477

Closed
valerii15298 opened this issue Jun 2, 2023 · 5 comments
Closed

BUG: zod zccepts invalid url: z.string().url().safeParse("a:") #2477

valerii15298 opened this issue Jun 2, 2023 · 5 comments

Comments

@valerii15298
Copy link

valerii15298 commented Jun 2, 2023
edited
Loading

Current behaviour:

// zod 3.21.4
console.log(z.string().url().safeParse("a:")); // {success: true}

I expect validation to fail there
@JaneJeon
Copy link

JaneJeon commented Jun 3, 2023
edited
Loading

It's because the URL is being validated with just a new URL(): https://github.com/colinhacks/zod/blob/master/src/types.ts#L757

Probably should add checks to make sure only certain protocols (http/https?) get through, and that it has a valid, non-empty host (or just use validator.js refinement)

@valerii15298
Copy link
Author

@JaneJeon yeah... does not seem right to me using native URL class... I would choose validator.js for url validation really. Because with URL class we do not have any flexibility... For example class-validator uses validator.js url validation too.
I guess this is related: #120 (comment)
@colinhacks
is there a place for negotiating url validation or what would be workarounds for that if I wanna validate http urls? Should I use refine for it or maybe there is a better solution?

@stale
Copy link

stale bot commented Sep 3, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale No activity in last 60 days label Sep 3, 2023
@JaneJeon
Copy link

JaneJeon commented Sep 3, 2023

Still unaddressed

@stale stale bot removed the stale No activity in last 60 days label Sep 3, 2023
@JacobWeisenburger
Copy link
Contributor

Is this what you are looking for?

const schema = z.string().startsWith( 'http' ).url()
console.log( schema.safeParse( 'a:' ).success ) // false
console.log( schema.safeParse( 'http:a' ).success ) // true

If you found my answer satisfactory, please consider supporting me. Even a small amount is greatly appreciated. Thanks friend! 🙏
https://github.com/sponsors/JacobWeisenburger

Repository owner locked and limited conversation to collaborators Sep 23, 2023
@JacobWeisenburger JacobWeisenburger converted this issue into discussion #2785 Sep 23, 2023

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JaneJeon @JacobWeisenburger @valerii15298