Add class-validators to dryRun input DTOs

bcgov / SIMS

Student Information Management System. Post-Secondary Student Financial Aid System

Apache License 2.0

25 stars 14 forks source link

Add class-validators to dryRun input DTOs #1700

Open andrepestana-aot opened 1 year ago

andrepestana-aot commented 1 year ago

There are some DTOs that are not validated and their properties are decorated with @Allow() because the properties are sent to Formio in the dryRun process. An attacker could send very large value in those DTOs trying to crash it. Even those DTOs can have some kind of length restriction to avoid it e.g.: EducationProgramAPIInDTO

![image.png]

Acceptance Criteria

[ ] Find DTOs with @Allow() only and find their maximum lengths in the DB;
[ ] Add @ArrayMaxSize() to arrays;

michesmith commented 9 months ago

@andrepestana-aot could you please draft some acceptance criteria for discussion at Backlog grooming?