Potential risks regarding class-validator #12
Comments
|
Well this lib is not affected by the vulnerability as it depends on |
|
Closing as not affected |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
First things first: I'm still new to JS / TS, NestJS and the involved ecosystem so please be patient with me in case I am heading in the wrong direction in the following:
I just found out this week that there is a big problem with the default configuration of class-validator before version 0.14:
GHSA-fj58-h2fr-3pp2
I would advise to consider upgrading the dependecy to 0.14
Be aware that this changes the default behaviour of the "forbidUnknownValues" option to be set to true by default starting in v 0.14 (https://github.com/typestack/class-validator/blob/develop/CHANGELOG.md#breaking-changes)
I already ran into a problem because of this when I had a DTO passed in a controller where the DTO did not have a single class-validator annotation
In that case, when the controller has a validation pipeline with
{ whitelist: true, forbidNonWhitelisted: true}, the request will be rejected.(in my case this was configured by the global validation pipeline)
This issue seems to be related nestjs/nest#10683
The text was updated successfully, but these errors were encountered: