fix: set `forbidUnknownValues` to true by default #1403

mikeguta · 2021-11-17T21:34:36Z

Description

This is an attempted fix for #438
It does so with a breaking change that uses a safe default of true for forbidUnknownValues. Only an explicit false value would preserve the previous default behaviour.

Checklist

the pull request title describes what this PR does (not a vague title like Update index.md)
the pull request targets the default branch of the repository (develop)
the code follows the established code style of the repository
- npm run prettier:check passes
- npm run lint:check passes
tests are added for the changes I made (if any source code was modified)
documentation added or updated
I have run the project locally and verified that there are no errors

Fixes

fixes #438

Other

35f8d20 Moved @types/validator to devDependencies
1b6af93 Fixed a couple of tests that were not returning promises and failing silently

….0 (typestack#1059)

)

…idator into fix-438-forbid-unknown-values

braaar · 2022-10-03T10:34:14Z

src/validation/ValidationExecutor.ts

-        `No metadata found. There is more than once class-validator version installed probably. You need to flatten your dependencies.`
+        `No metadata found. There is more than one class-validator version installed probably. You need to flatten your dependencies.`


This change seems to no belong in this PR, and there is another PR for this already #1127

michaeljauk · 2022-11-18T20:12:30Z

Is this going to be merged anytime soon?

NoNameProvided · 2022-11-20T17:36:12Z

This PR contains various unrelated changes, but I think all of this is landed already.

The significant change of setting forbidUnknownValues to true by default was merged in #1798.

The changed tests seem fine for me on develop now and re-adding @types/validator has an open PR.

github-actions · 2022-12-21T00:12:10Z

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

dependabot bot added 30 commits April 13, 2021 08:40

build(deps-dev): bump rollup from 2.45.1 to 2.45.2 (typestack#1021)

29abff6

build(deps-dev): bump @typescript-eslint/eslint-plugin (typestack#1020)

4251428

build(deps-dev): bump eslint-config-prettier from 8.1.0 to 8.2.0 (typ…

7a9248d

…estack#1022)

build(deps-dev): bump @types/node from 14.14.37 to 14.14.39 (typestac…

9e68074

…k#1023)

build(deps-dev): bump @types/node from 14.14.39 to 14.14.41 (typestac…

91cd9b5

…k#1026)

build(deps-dev): bump ts-jest from 26.5.4 to 26.5.5 (typestack#1027)

ab68d25

build(deps): bump validator from 13.5.2 to 13.6.0 (typestack#1030)

c8c077b

build(deps-dev): bump eslint-config-prettier from 8.2.0 to 8.3.0 (typ…

5a71a97

…estack#1034)

build(deps-dev): bump eslint from 7.24.0 to 7.25.0 (typestack#1035)

1f88415

build(deps-dev): bump eslint-plugin-jest from 24.3.5 to 24.3.6 (types…

78016a7

…tack#1036)

build(deps-dev): bump @types/jest from 26.0.22 to 26.0.23 (typestack#…

a3a4ee3

…1038)

build(deps-dev): bump @types/node from 14.14.41 to 15.0.0 (typestack#…

03d1a39

…1039)

build(deps-dev): bump @types/node from 15.0.0 to 15.0.1 (typestack#1040)

7fcc8a8

build(deps-dev): bump rollup from 2.45.2 to 2.46.0 (typestack#1042)

b613a90

build(deps): bump libphonenumber-js from 1.9.16 to 1.9.17 (typestack#…

1f89dfd

…1052)

build(deps-dev): bump rollup from 2.46.0 to 2.47.0 (typestack#1053)

65494d8

build(deps-dev): bump @types/node from 15.0.1 to 15.0.2 (typestack#1055)

a0aec07

build(deps-dev): bump @typescript-eslint/eslint-plugin (typestack#1058)

1196bb3

build(deps-dev): bump @rollup/plugin-commonjs from 18.0.0 to 18.1.0 (t…

c66324e

…ypestack#1057)

build(deps-dev): bump @typescript-eslint/parser from 4.22.0 to 4.22.1 (…

52b7403

…typestack#1056)

build(deps-dev): bump @rollup/plugin-node-resolve from 11.2.1 to 13.0…

6d7875d

….0 (typestack#1059)

build(deps-dev): bump ts-jest from 26.5.5 to 26.5.6 (typestack#1063)

98d3b39

build(deps): bump lodash from 4.17.19 to 4.17.21 (typestack#1065)

cde84b6

build(deps): bump hosted-git-info from 2.8.8 to 2.8.9 (typestack#1067)

051662a

build(deps-dev): bump lint-staged from 10.5.4 to 11.0.0 (typestack#1069)

0a0d39c

build(deps-dev): bump eslint from 7.25.0 to 7.26.0 (typestack#1070)

322bb8a

build(deps-dev): bump @rollup/plugin-commonjs from 18.1.0 to 19.0.0 (t…

23cefc2

…ypestack#1071)

build(deps-dev): bump @typescript-eslint/parser from 4.22.1 to 4.23.0 (…

3ba8007

…typestack#1074)

build(deps-dev): bump @types/node from 15.0.2 to 15.0.3 (typestack#1076)

f8db01e

build(deps-dev): bump @typescript-eslint/eslint-plugin (typestack#1075)

0384bd6

dependabot bot and others added 13 commits November 12, 2021 09:05

build(deps-dev): bump rollup from 2.59.0 to 2.60.0 (typestack#1391)

8b02685

build(deps-dev): bump eslint-plugin-jest from 25.2.3 to 25.2.4 (types…

04d6db8

…tack#1388)

build(deps-dev): bump lint-staged from 11.2.6 to 12.0.2 (typestack#1395)

3e83b6d

build(deps): bump @types/validator from 13.6.6 to 13.7.0 (typestack#1396

e11290f

)

fix: spelling

2c2205f

fix: make @types/validator a devDependency

35f8d20

test: unresolved promises hiding test failures

1b6af93

fix: typestack#438 default forbidUnknownValues to true

30b2579

docs: use examples from roim:patch-1

ae22f4c

docs: forbidUnknownValues in README

16fc83a

fix: erroneous package-lock.json

5ff4071

style: prettier fix

938fcc4

fix: merge from upstream

f8c004c

mikeguta changed the title ~~Fix 438 forbid unknown values~~ fix: #438 default forbidUnknownValues to true Nov 17, 2021

mikeguta marked this pull request as ready for review November 18, 2021 08:17

mikeguta mentioned this pull request Nov 18, 2021

fix: default settings allows arbitrary bypass vulnerability #438

Closed

dependabot bot and others added 2 commits November 18, 2021 09:05

build(deps): bump libphonenumber-js from 1.9.42 to 1.9.43 (typestack#…

b9d175d

…1404)

fix: Merge branch 'develop' of https://github.com/typestack/class-val…

1337695

…idator into fix-438-forbid-unknown-values

NoNameProvided force-pushed the develop branch from acb7de1 to c6984bb Compare November 20, 2021 10:31

palharez approved these changes Dec 23, 2021

View reviewed changes

aarifkhamdi approved these changes Feb 16, 2022

View reviewed changes

braaar reviewed Oct 3, 2022

View reviewed changes

braaar mentioned this pull request Oct 3, 2022

epic: overview of current fixes #1751

Closed

NoNameProvided changed the title ~~fix: #438 default forbidUnknownValues to true~~ fix: set forbidUnknownValues to true by default Nov 20, 2022

NoNameProvided closed this Nov 20, 2022

NoNameProvided added the status: superset by another Issue or task being tracked/handled in a different issue. label Nov 20, 2022

github-actions bot locked as resolved and limited conversation to collaborators Dec 21, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: set `forbidUnknownValues` to true by default #1403

fix: set `forbidUnknownValues` to true by default #1403

mikeguta commented Nov 17, 2021

braaar Oct 3, 2022

michaeljauk commented Nov 18, 2022

NoNameProvided commented Nov 20, 2022

github-actions bot commented Dec 21, 2022

		`No metadata found. There is more than once class-validator version installed probably. You need to flatten your dependencies.`
		`No metadata found. There is more than one class-validator version installed probably. You need to flatten your dependencies.`

fix: set forbidUnknownValues to true by default #1403

fix: set forbidUnknownValues to true by default #1403

Conversation

mikeguta commented Nov 17, 2021

Description

Checklist

Fixes

Other

braaar Oct 3, 2022

Choose a reason for hiding this comment

michaeljauk commented Nov 18, 2022

NoNameProvided commented Nov 20, 2022

github-actions bot commented Dec 21, 2022

fix: set `forbidUnknownValues` to true by default #1403

fix: set `forbidUnknownValues` to true by default #1403