Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: validator.isValid is not a function for certain objects #946

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: validator.isValid is not a function for certain objects #946

wants to merge 1 commit into from

Conversation

ej-shafran
Copy link

@ej-shafran ej-shafran commented Nov 3, 2023
edited

Description

Describe the purpose of this PR along with any background information and the impacts of the proposed change. For the benefit of the community, please do not assume prior context.

Objects with keys like valueOf, toString, and __proto__ cause a TypeError to be raised when calling jwt.sign. This is because the key technically does exist on the schema param of validate, when checked with if (schema[key]) {}. Using
Object.prototype.hasOwnProperty solves the issue.

Provide details that support your chosen implementation, including: breaking changes, alternatives considered, changes to the API, etc.

I used Object.prototype.hasOwnProperty.call(schema, key). This method has full browser support. Alternatively, lodash.has could be installed and used, but I think that would be overkill.

References

Include any links supporting this change such as a:

GitHub Issue/PR number addressed or fixed

Fixes #945

Testing

Describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

I have added test/issue_945.tests.js. It fails if the change made to sign.js is not present.

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not the default branch

@ej-shafran
fix: validator.isValid is not a function for certain objects
fe2805f 
Objects with keys like `valueOf`, `toString`, and `__proto__` cause a
`TypeError` to be raised when calling `jwt.sign`. This is because the
key technically does exist on the `schema` param of `validate`, when
checked with `if (schema[key]) {}`. Using
`Object.prototype.hasOwnProperty` solves the issue.
dubzzz
dubzzz reviewed Jan 31, 2024
View reviewed changes
test/issue_945.tests.js

const KEY = "any_key";

describe("issue 945 - validator.isValid is not a function", () => {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As the issue has been detected via property based testing mechanisms, I wonder if at some point having such tests to cover this project could be a thing. It seems that it could be useful in addition to these tests to avoid regressions or even more nasty bugs such as things related to nested objects...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dubzzz dubzzz dubzzz left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

sign crashes with validator.isValid is not a function for certain objects
2 participants
@ej-shafran @dubzzz