Skip to content

Commit

Permalink
documenting changes
Browse files Browse the repository at this point in the history
  • Loading branch information
legrego committed Oct 22, 2019
1 parent 2136caa commit 8b7389a
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 3 deletions.
7 changes: 7 additions & 0 deletions src/core/server/http/http_server.ts
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,13 @@ export class HttpServer {
options: {
auth: authRequired ? undefined : false,
tags: tags ? Array.from(tags) : undefined,
// TODO: This 'validate' section can be removed once the legacy platform is completely removed.
// We are telling Hapi that NP routes can accept any payload, so that it can bypass the default
// validation applied in ./http_tools#getServerOptions
// (All NP routes are already required to specify their own validation in order to access the payload)
validate: {
payload: true,
},
},
});
}
Expand Down
10 changes: 7 additions & 3 deletions src/core/server/http/http_tools.ts
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,10 @@ export function getServerOptions(config: HttpConfig, { configureTLS = true } = {
options: {
abortEarly: false,
},
// TODO: This payload validation can be removed once the legacy platform is completely removed.
// This is a default payload validation which applies to all LP routes which do not specify their own
// `validate.payload` handler, in order to reduce the likelyhood of prototype pollution vulnerabilities.
// (All NP routes are already required to specify their own validation in order to access the payload)
payload: value => Promise.resolve(validateObject(value)),
},
},
Expand Down Expand Up @@ -119,14 +123,14 @@ export function createServer(serverOptions: ServerOptions, listenerOptions: List
export interface HapiValidationError extends ValidationError {
output: {
statusCode: number;
headers: Util.Dictionary<string | string[]>;
headers: Util.Dictionary<string | Array<string>>;
payload: {
statusCode: number;
error: string;
message?: string;
validation: {
source: string;
keys: string[];
keys: Array<string>;
};
};
};
Expand All @@ -148,7 +152,7 @@ export function defaultValidationErrorHandler(
// https://github.com/hapijs/hapi/blob/master/lib/validation.js#L102
if (err && err.name === 'ValidationError' && err.hasOwnProperty('output')) {
const validationError: HapiValidationError = err as HapiValidationError;
const validationKeys: string[] = [];
const validationKeys: Array<string> = [];

validationError.details.forEach(detail => {
if (detail.path.length > 0) {
Expand Down

0 comments on commit 8b7389a

Please sign in to comment.