-
-
Notifications
You must be signed in to change notification settings - Fork 642
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: warn when json validator does not find a content type in the request #3707
base: main
Are you sure you want to change the base?
Conversation
Thanks! I'll check it later. |
- Fixed a code typo that said `.get` instead of `.post` - Updated wording about "warning" in anticipation of honojs/hono#3707 - Reworded code block descriptors
- Fixed a code typo that said `.get` instead of `.post` - Updated wording about "warning" in anticipation of honojs/hono#3707 - Reworded code block descriptors
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #3707 +/- ##
=======================================
Coverage 91.70% 91.70%
=======================================
Files 159 159
Lines 10158 10164 +6
Branches 2855 2870 +15
=======================================
+ Hits 9315 9321 +6
Misses 842 842
Partials 1 1 ☔ View full report in Codecov by Sentry. |
Hi @Soviut Thank you for the PR! Do you think that we should show a similar message for |
@yusukebe Yes, let's do that. I've updated the PR to warn if the target is |
I think that this may be an option. Because a threat actor's malicious request could cause a warning to be logged to the console in a production environment. |
What is the concern with that? Wouldn't that help identify threat actors more easily if lots of warnings start showing up in logs? |
@EdamAme-x @yusukebe this seems to have stalled. Is there a security issue? if not, I'd love to see it merged. |
Apologies if this is misplaced. For example, if someone with malicious intent deliberately sends a request with the This could result in the logs being affected, which may lead to increased load. While the administrator would likely notice the attack in the logs, there might not be a clear way to address the issue fully. Even if the IP is blocked, the potential risk of attack would still remain. |
I think the solution to this is to allow option to decide whether to log or not. The user can choose whether or not to generate warnings by environment variables, etc. In the production environment, the log should not be emitted, but in the development environment, it should be emitted. validator(
"json",
(...) => {...},
{
showWarning: process.env.NODE_ENV === "development"
}
) However, it does increase the user load somewhat. |
@yusukebe What do you think? |
@EdamAme-x An option to enable the warnings could be added, but I think that's out of scope for this particular PR. This PR is to address the issue that the invalid body is ignored, making it hard to debug. I think a follow-up ticket is in order since it would require some additional decisions, docs updates, etc. |
Okay, and for now, let's consider the following PRs. |
@yusukebe What should I do to get this merged? |
I'm sorry for not getting back to you sooner. I've considered it, and I believe we should not accept this PR. As @EdamAme-x mentioned, this change will allow the expected warning messages to be shown. This is a vulnerability, and while usability is important, avoiding vulnerabilities is more important. |
@yusukebe @EdamAme-x Okay, I'd like to adjust this PR to include the setting that was mentioned earlier. Instead of |
Assuming we accept this PR, it is doubtful that users will notice this option. |
@EdamAme-x Defaulting to false ultimately ends up back where we started, with a difficult to debug scenario that the warning solves if we set it to true by default. I'm willing to write documentation about this that should be discoverable by anybody searching for the warning and the associated options to turn it off. We could also update the warning messages to include a hint about setting warn to false to mute the warnings. |
I see, however, it may cause problems that are unnoticeable due to dependency updates, etc. However, it may still be a difficult to introduce... |
@EdamAme-x I see. Is there any reason we couldn't return a We could ignore the validation function passed as the 2nd arg and return the 415, preventing the validation function from returning misleading errors of its own.
|
Interesting idea. @yusukebe What do you think? |
@EdamAme-x glad to hear. I agree, the warning was my 2nd choice. I originally wanted to return an error like this but I think I phrased it as an exception earlier. An error response is what I meant. |
@EdamAme-x I've updated the PR to replace the console warnings with |
Co-authored-by: EdamAmex <[email protected]>
@Soviut Can you also write tests on this? |
@EdamAme-x I've updated your suggestion. Let me know what you think. Just note that there are prior error messages like const message = 'Malformed JSON in request body' and this one that gets dynamically built let message = 'Malformed FormData request.'
message += e instanceof Error ? ` ${e.message}` : ` ${String(e)}` |
Yeah, once we think this looks good I can write some tests. Hopefully some already exist for these cases and just need to be updated. EDIT: looks like there are tests that just need to be updated https://github.com/Soviut/hono/blob/patch-1/src/validator/validator.test.ts#L128 |
I think the current one is fine. As for the test, I think it could be changed. |
@EdamAme-x I've updated the tests. The JSON ones only needed the status code updated. However, the FormData tests were (as far as I could tell) missing the same tests, so I replicated them. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Great. We'll need to kick off the checks again. @yusukebe let me know if anything else needs to be done. EDIT: Running the tests locally I see that some are failing. I'll have those fixed tomorrow. |
Good night, @yusukebe. I think that this is a safer, more web standards-based approach. |
Co-authored-by: EdamAmex <[email protected]>
@EdamAme-x something I've realized is that this approach doesn't quite work when multiple validators are used. Because you can have the following... app.post(
'/',
validator('json', (value) => value),
validator('form', (value) => value),
async (c) => {
const jsonData = c.req.valid('json')
const formData = c.req.valid('form')
return c.json({
json: jsonData,
form: formData,
})
}
) ...each validator validates in isolation, meaning if you test for the json target, the form validator will fail. This seems to be why the validators were initially failing silently; so they could pass-through. I'm going to see if I can come up with a way of handling this. |
I wonder if there is a use case for a single endpoint to receive json/form. This may be a bit of a difficult problem. |
This would be a destructive change, but what about telling them to use this middleware if they are using different target validators on the same route? |
@Soviut What do you think? |
I’ll have a look later this evening.
|
@EdamAme-x I could definitely update the tests to work with It is a breaking change so I suppose it might need to wait for Hono 5.0? If so, is there a roadmap? I searched the issues but the last roadmap was for 3.1.0. #968 |
There is currently no official roadmap. Hi @usualoma, what do you think about the idea of using app.post(
'/',
some(
validator('json', (value) => value),
validator('form', (value) => value),
),
async (c) => {
// ...
}
) I am also wondering if Combine middleware can handle validator types well. |
@EdamAme-x combine middleware definitely could use some more docs because it affects how |
It seems that Combine needs to better support combining validator types, etc. |
When a validator has a target 'json' it will now warn if a request is missing a
Content-Type: application/json
header.Closes honojs/middleware#841
Added some docs too honojs/website#540
The author should do the following, if applicable
bun run format:fix && bun run lint:fix
to format the code