ajv
ajv copied to clipboard
ajv-validator
Specify maximum errors
What version of Ajv you are you using?
6.12.3
What problem do you want to solve?
We recently received a CodeQL security vulnerability relating to setting allErrors: true in AJV because this can cause resource exhaustion if a nefarious payload is provided.
It would be ideal to be able to specify a specific upper limit of errors before validation is exited. Otherwise, we have to specify allErrors: false and users have to continually re-submit their payloads because only one errors is returned at a time, which is a poor user experience.
It would be best if we can specify an upper limit (like 1000 errors) so that users can recieve more than one error at a time, and we ensure that a resource exhaustion attack is mitigated based on the available hardware.
What do you think is the correct solution to problem?
Add a new property to Ajv options that specifies the maximum number of errors allowed, and then use that in the validation function to return early once reached.
Will you be able to implement it?
Yes, if I can get some guidance on where this validation takes place.
The security doc specifically says you should not use allErrors: true in production servers, and there are some other points: https://ajv.js.org/security.html
Thanks @epoberezkin. I read the security docs and understand we shouldn't use this in production - but is there not a way we can find a middle ground so that users can receive more than a single error at a time? This is not a great user experience.
Re proposed feature - it's non-trivial, it will affect all code generation, and likely to have a negative performance impact. Let's keep the issue open and see if there is more interest in this feature, right now it doesn't seem like a good value tbh.
Assuming API users are developers you can always provide a sandbox server for testing to receive all errors, and you should not really use API to generate user facing errors - for this purpose you can run Ajv (or pre-compiled schemas) client side.
