Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 4 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -108,9 +108,7 @@ There are some tightly coupled but untyped decorators and things like that in ne

### 4. Security

There is a CVE for class-transformer when using random javascript objects. You need to be careful about configuring the ValidationPipe in NestJs. See
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18413
https://github.com/typestack/class-validator/issues/438
There is a CVE for class-transformer when using random javascript objects. You need to be careful about configuring the ValidationPipe in NestJs. See [`should-specify-forbid-unknown-values`](./src/docs/rules/should-specify-forbid-unknown-values.md).

## To install

Expand Down Expand Up @@ -208,8 +206,7 @@ Note: You can easily turn off all the swagger rules if you don't use swagger by
Disable a single rule with the full name e.g. in your eslint configuration...

```ts
rules: {
"@darraghor/nestjs-typed/api-property-returning-array-should-set-array":
"off",
}
rules: {
"@darraghor/nestjs-typed/api-property-returning-array-should-set-array": "off",
}
```
Original file line number Diff line number Diff line change
@@ -1,12 +1,11 @@
### Rule: validation-pipe-should-forbid-unknown
### Rule: should-specify-forbid-unknown-values

This checks when if you are setting ValidationPipe parameters you set forbidUnknownValues to true.

The rule is ignored if you use a spread operator to pass options to the validation pipe constructor.

There is a CVE for class-transformer when using random javascript objects. You need to be careful about configuring the ValidationPipe in NestJs. See
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18413
https://github.com/typestack/class-validator/issues/438
There is a CVE for class-transformer when using random javascript objects. You need to be careful about configuring the ValidationPipe in NestJs.
See <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18413>, <https://github.com/typestack/class-validator/issues/438> & <https://github.com/nestjs/nest/issues/10683>.
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added link to the nestjs issue which explains that NestJs sets the default to false again (overwriting the class-validator default).


e.g. this PASSES because the property is set

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ const ruleTester = new RuleTester({
},
});

ruleTester.run("validation-pipe-should-use-forbid-unknown", rule, {
ruleTester.run("should-specify-forbid-unknown-values", rule, {
valid: [
{
code: `
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
import {TSESTree} from "@typescript-eslint/utils";
import {ASTUtils, TSESTree} from "@typescript-eslint/utils";
import {createRule} from "../../utils/createRule.js";
import {ASTUtils} from "@typescript-eslint/utils";

export const isValidationPipeNewExpression = (node: TSESTree.Node): boolean => {
const newExpression = node as TSESTree.NewExpression;
Expand Down Expand Up @@ -82,7 +81,7 @@ export const shouldTriggerForVariableDeclaratorExpression = (
};

const rule = createRule<[], "shouldSpecifyForbidUnknownValues">({
name: "validation-pipe-should-use-forbid-unknown",
name: "should-specify-forbid-unknown-values",
meta: {
docs: {
description:
Expand Down