Class Validator forbidUnknownValues

[dan-online]

Describe the Bug
Upon updating to class-validator@^0.14.0, any input regardless of validation throws a validation error as such:

{
  "data": {},
  "errors": [
    {
      "message": "Validation Error",
      "extensions": {
        "code": "BAD_USER_INPUT",
        "validationErrors": [
          {
            "constraints": {
              "unknownValue": "an unknown value was passed to the validate function"
            }
          }
        ]
      }
    }
  ]
}

To Reproduce

Create an input type:

@InputType()
export class AnInput {
  @Field()
  field: string;
}

Upon attempting to use the inputType, the error above throws

@Arg('input') input: AnInput

Expected Behavior

The error should not throw

Logs

ArgumentValidationError: Argument Validation Error
    at validateArg (/home/dan/Code/project/node_modules/type-graphql/dist/resolvers/validate-arg.js:55:15)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async Promise.all (index 0)
    at async dispatchHandler (/home/dan/Code/project/node_modules/type-graphql/dist/resolvers/helpers.js:83:24)
    at async /home/dan/Code/project/node_modules/type-graphql/dist/resolvers/helpers.js:84:26
    at async dispatchHandler (/home/dan/Code/project/node_modules/type-graphql/dist/resolvers/helpers.js:83:24) {
  validationErrors: [
    ValidationError {
      target: [LoginInput],
      value: undefined,
      property: undefined,
      children: [],
      constraints: [Object]
    }
  ]
}

Environment (please complete the following information):

• OS: Ubuntu 22
• Node: v16.18.0
• Package: 2.0.0-beta.1
• TypeScript: 4.9.4

Additional Context

I understand that using the beta package is most likely the issue, however it's been working pretty amazingly so far, and only this module bump caused an issue.

[MichalLytek]

Please try passing { forbidUnknownValues: false } into buildSchema option validate property.

This can be fixed in type-graphql too - src/resolvers/validate-arg.ts:

[dan-online]

While that does fix my issue in the short term, forbidUnknownValues is set default to true to prevent a security issue.. is there a different method the package can take here to prevent needing this value at false?

The security issue: #1668

[MichalLytek]

I will fix that in the long term via the snippet shown above.

GraphQL has own set of input field null/undefined validation, so the typical validation issues does not apply to the TypeGraphQL use cases 😉

[dan-online]

Awesome, thanks for the quick replies! I love the library and seeing the beta version motivated me to start a new project in it. If there's anything I can do to help I'd be more than glad to

[marlon-sousa]

Hello,

Do we have a roadmap for that fix?

As far as I could understand type-graphql 1.1.1 and class-validator 0.14.0 are not yet playing nicely together and versions less than 0.14.0 of class-validator have yarn audit issues.

Is setting { forbidUnknownValues: false } the only alternative by now?

Does { forbidUnknownValues: false } restore class-validator behavior to the 0.12.0 version?

[MichalLytek]

{ forbidUnknownValues: false } is the answer, "the fix" is just making this default setting.

[marlon-sousa]

A ok. I undestand that in type-graphql context setting this to false does not imply in insecure code because for type-graphql the original security issue is not applicable.

[MichalLytek]

Yes, GraphQL layer takes care about the set of properties in objects - its validation is done first, before class-validator check in TypeGraphQL.