Critical vulnerability reported by Snyk on the validate method of the library #1397
Labels
status: duplicate
Issue is being tracked already in another issue.
type: fix
Issues describing a broken feature.
Description
A new critical vulnerability has been reported by Snyk on the validate method of the library.
Affected versions of this package are vulnerable to Improper Input Validation via bypassing the input validation in validate(), which can lead to cross-site scripting (XSS) or SQL injection. NOTE: There is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass.
Minimal code-snippet showcasing the problem - PoC by xiaofen9
import {validate, validateOrReject, Contains, IsInt, Length, IsEmail, IsFQDN, IsDate, Min, Max} from "class-validator";
import {plainToClass} from "class-transformer";
class Post {
}
let userJson = JSON.parse('{"title":1233, "proto":{}}'); // a malformed input
let users = plainToClass(Post, userJson);
validate(users).then(errors => { // errors is an array of validation errors
if (errors.length > 0) {
console.log("validation failed. errors: ", errors);
} else {
console.log("validation succeed");
}
});
Expected behavior
No critical vulnerability should arise
Actual behavior
Critical vulnerability
The text was updated successfully, but these errors were encountered: