Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unexploitable Error Reporting in API Responses #420

Open
benoit-scnd opened this issue Jun 22, 2023 · 4 comments
Open

Unexploitable Error Reporting in API Responses #420

benoit-scnd opened this issue Jun 22, 2023 · 4 comments
Assignees
@samchon
Labels
documentation Improvements or additions to documentation good first issue Good for newcomers question Further information is requested

Comments

@benoit-scnd
Copy link

benoit-scnd commented Jun 22, 2023
edited
Loading

Hello @samchon ,

When sending requests that contain multiple typia errors, the API appears to halt and return an error response upon encountering the first error. This behavior means we need to go through multiple rounds of request correction to uncover and handle all the errors in the original request.

Here is an example:

{
    "status": 400,
    "error": "Bad Request",
    "message": "Validation failed",
    "details": [
        {
            "path": "email",
            "message": "Must be a valid email address"
        },
        {
            "path": "password",
            "message": "Must be at least 8 characters"
        }
    ]
}
@samchon
Copy link
Owner

samchon commented Jun 22, 2023
edited
Loading

If you've installed nestia through npx nestia setup command, then you can see such comment in plugins option. Change the validate: assert property value to validate: validate, then you may come true what want.

https://github.com/samchon/backend/blob/ed058fae2875533a1c201c4a757f45c22ca1326b/tsconfig.json#L69-L89

@samchon samchon self-assigned this Jun 22, 2023
@samchon samchon added the question Further information is requested label Jun 22, 2023
@benoit-scnd
Copy link
Author

Thanks you! This should be the default behavior.

@samchon
Copy link
Owner

samchon commented Jun 22, 2023
edited
Loading

@benoit-scnd

The reason why validate() function has not been chosen as default is, if do so, hackers can easily attack backend server just by sending large vulnerable JSON data. Despite typia is 20,000x faster than class-validator, the validation process uses main thread operation and it stops entire server during the operation.

It is the reason why I've selected assert() function to be default.

In actually, you can easily spoil NestJS backend server just by sending invalid and large JSON data, because class-validator only can validate 3MB per a second.

@samchon samchon added documentation Improvements or additions to documentation good first issue Good for newcomers labels Jun 22, 2023
@samchon
Copy link
Owner

samchon commented Jun 22, 2023

Anyway, I had to write guide documents about this issue, but have delayed for a long time.

I'll keep this issue, and will close after writing guide documents as FAQ corner in someday (cannot sure when).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@samchon samchon

Labels
documentation Improvements or additions to documentation good first issue Good for newcomers question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@samchon @benoit-scnd