This repository has been archived by the owner on Jun 11, 2024. It is now read-only.
Lisk Validator does not validate integer formats when provided as number #8617
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Description
Lisk Validator supports the
int32,int64,uint32, anduint64data formats, which can be set in schemas as the value of a property’s format field. However, we found that specifying one of these formats for a property whose data type is set to “integer” (i.e., it is encoded as a number as opposed to a string) results in the format not being validated.For example, the schema for the setHashOnionUsage request from the random module defines a height property with type set to “integer” and format set to “uint32”
https://github.com/LiskHQ/lisk-sdk/blob/89e7504ef5eb6183aefe576a93be3d6052e56038/framework/src/modules/random/schemas.ts#L129-L147
Despite this, it is possible to provide a value of
heighttosetHashOnionUsagethat isnegative or outside of the range of a 32-bit unsigned integer
Furthermore, we created the following lisk-validator tests, designed to ensure correct validation of integer formats, which fail to reject negative uint32 values and int32 values above the range of a 32-bit integer
Recommendation
Modify affected schemas to use the “string” type instead of “integer” in order to ensure that they are validated properly. Review lisk-validator’s handling of number types to ensure that integer properties provided as numbers are validated like their string counterparts.
Affected Version
v6.0.0-beta.2The text was updated successfully, but these errors were encountered: