express-joi
express-joi copied to clipboard
petreboy14
work with prototype-less objects
I first reported this at but it turns out that the bug was in this library.
Since the data validated by this library often is user provided input, I think we should consider it "unsafe". Instead of using
hasOwnPropertydirectly on input objects, I think it would be better to make sure that we are actually using the builtin methodhasOwnPropertyinstead of the one on the provided object.This simple input from the user currently causes an error:
{ hasOwnProperty: 'hello' }.This could be fixed by changing the use of hasOwnProperty to use an already defined function. E.g.
function hasOwnProperty (obj, prop) { return Object.prototype.hasOwnProperty.call(obj, prop) } // Instead of this: input.hasOwnProperty(schema.key) // We us this: hasOwnProperty(input, schema.key)This would also have the benefit of being able to validate objects without a prototype (e.g. created by
Object.create(null)). This objects are usually used when you want to use a hash map, which I also think that the input to this library usually is.You can read more on why you shouldn't use a normal js object as a hash map here: Blog post by Guillermo Rauch, Article on 2ality
In
multer, an express middleware for accepting multipart forms, we provide the data with an prototype-less object. This lead one of our users to report expressjs/multer#171 to us, which would be solved by this.
This patch fixes that and adds a test for it.
@petreboy14 Your build is failing because 0.6 and 0.8 ships with an older version of npm, this pull request is not responsible for that. I would love it if this could get merged :+1: