nest icon indicating copy to clipboard operation
nest copied to clipboard

Published 20 hours ago • verified publisher icon nestjs

ValidationPipe({transform: true}) transforms non-numeric strings to NaN

Open thw0rted opened this issue 1 month ago • 0 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Current behavior

ValidationPipe does not validate the type of primitive arguments (@Query / @Param), but when the transform argument is true then it converts primitives from string values. One side effect of this is that optional query params that are not specified, get converted from undefined to NaN. This will be fixed in this open PR. Another side effect is that values that are obviously non-numeric get converted to NaN.

This is technically correct, because even though NaN means "Not a Number", its type is number (because JS is a mess). But it's definitely surprising, and I would argue that it's a bug for the ValidationPipe to turn "abc" into NaN and thus "pass" validation, rather than treating the request as an error.

Minimum reproduction code

https://stackblitz.com/edit/nestjs-typescript-starter-4qeqaj?file=src%2Fmain.ts

Steps to reproduce

  1. Open reproduction
  2. Navigate to (stackblitz URL)/123, page shows "ID 123 is number"
  3. Navigate to (stackblitz URL)/abc, page shows "ID NaN is number"

Expected behavior

ValidationPipe should reject requests when a parameter is supposed to be a number but converts as NaN.

Package

  • [ ] I don't know. Or some 3rd-party package
  • [X] @nestjs/common
  • [ ] @nestjs/core
  • [ ] @nestjs/microservices
  • [ ] @nestjs/platform-express
  • [ ] @nestjs/platform-fastify
  • [ ] @nestjs/platform-socket.io
  • [ ] @nestjs/platform-ws
  • [ ] @nestjs/testing
  • [ ] @nestjs/websockets
  • [ ] Other (see below)

Other package

No response

NestJS version

10.3.0

Packages versions

[Nest CLI] Nest CLI Version : 10.3.0

[Nest Platform Information] platform-express version : 10.3.8 schematics version : 10.1.0 passport version : 10.0.3 swagger version : 7.2.0 testing version : 10.3.0 common version : 10.3.0 config version : 3.1.1 core version : 10.3.0 cli version : 10.3.0

Node.js version

v20.9.0

In which operating systems have you tested?

  • [ ] macOS
  • [X] Windows
  • [ ] Linux

Other

No response

thw0rted avatar May 10 '24 16:05 thw0rted