search

nestjs / nest

A progressive Node.js framework for building efficient, scalable, and enterprise-grade server-side applications with TypeScript/JavaScript 🚀
https://nestjs.com
MIT License
66.91k stars 7.55k forks source link

ValidationPipe with forbidNonWhitelisted throws an exception for a valid query param #11598

Closed antyale closed 1 year ago

antyale commented 1 year ago

Is there an existing issue for this?

Current behavior

I have a global validation pipe that uses forbidNonWhitelisted so it throws an exception for invalid parameters:

  app.useGlobalPipes(
    new ValidationPipe({
      whitelist: true,
      forbidNonWhitelisted: true,
      transform: true,
      transformOptions: {
        enableImplicitConversion: true,
      },
    })
  );

It seems that this is causing some issues when using DTO classes and multiple @Query params in the controller endpoint. For example, the following code should take status as a valid query param, but instead it throws {"statusCode":400,"message":["property status should not exist"],"error":"Bad Request"}

export class PaginationParamsDTO {
  @IsOptional()
  @IsNumber()
  @Min(0)
  page?: number;

  @IsOptional()
  @IsEnum([10, 25])
  limit?: 10 | 25;
}

@Controller()
export class AppController {
  constructor(private readonly appService: AppService) {}

  @Get()
  getHello(
    @Query('status') status: string,
    @Query() {limit, page}: PaginationParamsDTO,
  ): string {
    console.log(limit);
    console.log(page);
    console.log(status);
    return this.appService.getHello();
  }
}

Setting forbidNonWhitelisted to false avoids the exception and the endpoint takes the status query param correctly.

Thanks!

Minimum reproduction code

https://stackblitz.com/edit/nestjs-typescript-starter-mv5eul

Steps to reproduce

  1. npm install && npm start on the StackBlitz project
  2. Add ?status=pending query param to the running app url

Expected behavior

The ValidationPipe should not throw an exception.

Package

Other package

No response

NestJS version

^9.4.0

Packages versions

{
  "name": "nest-typescript-starter",
  "private": true,
  "version": "1.0.0",
  "description": "Nest TypeScript starter repository",
  "license": "MIT",
  "scripts": {
    "build": "nest build",
    "format": "prettier --write \"src/**/*.ts\" \"test/**/*.ts\"",
    "start": "nest start",
    "start:dev": "nest start --watch",
    "start:debug": "nest start --debug --watch",
    "start:prod": "node dist/main",
    "lint": "eslint \"{src,apps,libs,test}/**/*.ts\" --fix",
    "test": "jest",
    "test:watch": "jest --watch",
    "test:cov": "jest --coverage",
    "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
    "test:e2e": "jest --config ./test/jest-e2e.json"
  },
  "dependencies": {
    "@nestjs/common": "^9.0.0",
    "@nestjs/core": "^9.0.5",
    "@nestjs/platform-express": "^9.0.0",
    "class-transformer": "^0.5.1",
    "class-validator": "^0.14.0",
    "reflect-metadata": "^0.1.13",
    "rxjs": "^7.5.5"
  },
  "devDependencies": {
    "@nestjs/cli": "^9.0.0",
    "@nestjs/schematics": "^9.0.0",
    "@nestjs/testing": "^9.0.0",
    "@types/express": "^4.17.13",
    "@types/jest": "^28.1.4",
    "@types/node": "^18.0.3",
    "@types/supertest": "^2.0.12",
    "@typescript-eslint/eslint-plugin": "^5.30.5",
    "@typescript-eslint/parser": "^5.30.5",
    "eslint": "^8.19.0",
    "eslint-config-prettier": "^8.5.0",
    "eslint-plugin-prettier": "^4.2.1",
    "jest": "^28.1.2",
    "prettier": "^2.7.1",
    "source-map-support": "^0.5.21",
    "supertest": "^6.2.4",
    "ts-jest": "^28.0.5",
    "ts-loader": "^9.3.1",
    "ts-node": "^10.8.2",
    "tsconfig-paths": "^4.0.0",
    "typescript": "^4.7.4"
  },
  "jest": {
    "moduleFileExtensions": [
      "js",
      "json",
      "ts"
    ],
    "rootDir": "src",
    "testRegex": ".*\\.spec\\.ts$",
    "transform": {
      "^.+\\.(t|j)s$": "ts-jest"
    },
    "collectCoverageFrom": [
      "**/*.(t|j)s"
    ],
    "coverageDirectory": "../coverage",
    "testEnvironment": "node"
  }
}

Node.js version

18.12

In which operating systems have you tested?

Other

No response

jmcdo29 commented 1 year ago

This is behaving as expected. Your DTO only defines page and limit so the third query parameter status is unknown to the dto. As @Query() is essentially req.query and nest doesn't pull any values off of it, the entire over is passed for validation.