Releases · badrap/valita

Breaking: Optionals don't have .parse and .try methods anymore. To create a standalone parser that accepts e.g. either a string or undefined, then v.union(v.string(), v.undefined()) is the recommended way for that.

Restore exported types that were accidentally omitted from v0.1.8

Fix type errors when the importer's tsconfig.json has "declaration": true.

Fix cases where a lazy(...) call references const variables that are defined later.

Optimize code by doing less defineProperty shenanigans.
Add tests for basic primitives (null(), undefined(), ...).

@rslabbert

Fix: Allow type checking to work with native Node16 Typescript ESM (#27, thanks @rslabbert!)

Rewrite parts of the internal bookkeeping for v.object(...), hopefully clarifying it a bit. For details take a look at the relevant code.

This release modifies how object() and record() handle input that contains a property called __proto__.

As it happens, __proto__ is a bit special in JavaScript, as it allows the [[Prototype]] of an object to be mutated:

let obj = {}
obj.__proto__ = { a: 1 }
obj.a === 1 // true

Interestingly, JSON.parse doesn't set the prototype based on __proto__:

let input = JSON.parse('{ "__proto__": { "a": 1 } }')
input.a === 1 // false
input.__proto__.a === 1 // true

// cloning with e.g. Object.assign sets the prototype, though
Object.assign({}, input).a === 1 // true

JSON.parse is often used to parse input in HTTP servers. So, as Valita was built for validating & parsing arbitrary input data, it may encounter data that contains the __proto__ property. Some weird effects could be observed when Valita versions v0.1.2 and earlier encountered such input and needed to clone the input object:

import * as v from "@badrap/valita"
let t = v.object({ a: v.string().optional() }).rest(v.unknown().map((x) => x))
let o = t.parse(JSON.parse('{ "__proto__": { "a": 1 } }'))

// __proto__ is defined in the output...
o.__proto__.a === 1 // true

// ...but o.a shouldn't be, yet it is
o.a === 1 // true

This is now mitigated in Valita v0.1.3:

import * as v from "@badrap/valita"
let t = v.object({ a: v.string().optional() }).rest(v.unknown().map((x) => x))
let o = t.parse(JSON.parse('{ "__proto__": { "a": 1 } }'))

// __proto__ is still defined in the output...
o.__proto__.a === 1 // true

// ...and o.a isn't
o.a === undefined // true

Notes

An alternative approach to deal with __proto__ properties would have been to remove them from the output. However, we don't think Valita is not the right place to make such an decision. There are good options for sanitizing your input data, for example using Fastify's secure-json-parse instead of plain JSON.parse.
The special behavior of __proto__ can be disabled in Node.js via the --disable-proto=delete option. Deno has disabled this behavior altogether by default.
These changes make also Valita more compatible with running Node.js with --disable-proto=throw, which is a good step for catching sources of __proto__ shenanigans.
Further reading about prototype pollution / poisoning:
- https://www.fastify.io/docs/latest/Guides/Prototype-Poisoning/
- https://medium.com/intrinsic-blog/javascript-prototype-poisoning-vulnerabilities-in-the-wild-7bc15347c96

Publish to https://deno.land/x/valita

Releases: badrap/valita

v0.2.0

Uh oh!

v0.1.10

Uh oh!

v0.1.9

Uh oh!

v0.1.8

Uh oh!

v0.1.7

Uh oh!

v0.1.6

Uh oh!

v0.1.5

Contributors

Uh oh!

v0.1.4

Uh oh!

v0.1.3

Notes

Uh oh!

v0.1.2

Uh oh!