Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ValidationPipe({transform: true}) transforms non-numeric strings to NaN #13559

Closed
3 of 15 tasks
thw0rted opened this issue May 10, 2024 · 2 comments
Closed
3 of 15 tasks

ValidationPipe({transform: true}) transforms non-numeric strings to NaN #13559

thw0rted opened this issue May 10, 2024 · 2 comments
Labels
needs triage This issue has not been looked into

Comments

@thw0rted
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Current behavior

ValidationPipe does not validate the type of primitive arguments (@Query / @Param), but when the transform argument is true then it converts primitives from string values. One side effect of this is that optional query params that are not specified, get converted from undefined to NaN. This will be fixed in this open PR. Another side effect is that values that are obviously non-numeric get converted to NaN.

This is technically correct, because even though NaN means "Not a Number", its type is number (because JS is a mess). But it's definitely surprising, and I would argue that it's a bug for the ValidationPipe to turn "abc" into NaN and thus "pass" validation, rather than treating the request as an error.

Minimum reproduction code

https://stackblitz.com/edit/nestjs-typescript-starter-4qeqaj?file=src%2Fmain.ts

Steps to reproduce

  1. Open reproduction
  2. Navigate to (stackblitz URL)/123, page shows "ID 123 is number"
  3. Navigate to (stackblitz URL)/abc, page shows "ID NaN is number"

Expected behavior

ValidationPipe should reject requests when a parameter is supposed to be a number but converts as NaN.

Package

  • I don't know. Or some 3rd-party package
  • @nestjs/common
  • @nestjs/core
  • @nestjs/microservices
  • @nestjs/platform-express
  • @nestjs/platform-fastify
  • @nestjs/platform-socket.io
  • @nestjs/platform-ws
  • @nestjs/testing
  • @nestjs/websockets
  • Other (see below)

Other package

No response

NestJS version

10.3.0

Packages versions

[Nest CLI]
Nest CLI Version : 10.3.0

[Nest Platform Information]
platform-express version : 10.3.8
schematics version : 10.1.0
passport version : 10.0.3
swagger version : 7.2.0
testing version : 10.3.0
common version : 10.3.0
config version : 3.1.1
core version : 10.3.0
cli version : 10.3.0

Node.js version

v20.9.0

In which operating systems have you tested?

  • macOS
  • Windows
  • Linux

Other

No response
@thw0rted thw0rted added the needs triage This issue has not been looked into label May 10, 2024
@thw0rted thw0rted mentioned this issue May 10, 2024
Closed
15 tasks
@kamilmysliwiec
Copy link
Member

#12893

@thw0rted
Copy link
Author

@kamilmysliwiec Are you sure that MR fixes this issue? The MR addresses undefined input values, but wouldn't the value when transforming the route param in /abc just be "abc", rather than undefined?

I think you may need to either check that the value is numeric (!isNan(value), isFinite(value) etc) or just go ahead and convert it, then if the result is NaN, just return undefined.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs triage This issue has not been looked into
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thw0rted @kamilmysliwiec