A vulnerability exists in the packages class-transformer and, by extension, class-validator. It has been patched in class-transformer, but class-validator has an ongoing issue on this. For now, the solution is to set forbidUnknownValues.
All the changes in this PR are the result of setting forbidUnknownValues in nestjs.ts. From now on, developers must ensure that the body of POST and PUT requests is properly validated. If not, then a 400 exception will be thrown.
The acceptance criterium for this PR is that every request made from the frontend must not result in a 400 Bad Request if they worked before this solution. That might be indicative of missing validation.
A vulnerability exists in the packages
class-transformer
and, by extension,class-validator
. It has been patched inclass-transformer
, butclass-validator
has an ongoing issue on this. For now, the solution is to setforbidUnknownValues
. All the changes in this PR are the result of settingforbidUnknownValues
in nestjs.ts. From now on, developers must ensure that the body of POST and PUT requests is properly validated. If not, then a 400 exception will be thrown.The acceptance criterium for this PR is that every request made from the frontend must not result in a 400 Bad Request if they worked before this solution. That might be indicative of missing validation.
Related frontend PR