-
Notifications
You must be signed in to change notification settings - Fork 806
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: default settings allows arbitrary bypass vulnerability #438
Comments
Transformation plain json object into class instance is not |
Thanks for the comment. we will report this to class-transformer since the transformer and validator are usually used together, which leads to vulnerable logics. Even if class-transformer adds a patch for this issue, I think we might still want to add a simple check to the class-validator because we cannot guarantee that developers will only use class-transformer to transform those plain JSON object. For example, it is found that other methods (e.g., Object.assign() [1]) are used to transform user-input before validation. They will also invalidate the class-validator once attackers inject the same payload. From the perspective of these transformers, they just correctly transform all attributes. If we can check whether the constructor of the validation class instance is empty or not, this bug will be fixed. |
I think for this purpose exists option I know the name of option is missleading and also we do not have proper documentation. Example: |
Thanks for the comment. I think we should at least mention this option somewhere in readme right? |
Of course we need doc improvement in this area. |
Yes... because class-validator will be vulnerable to the mentioned attack in its default settings. We should let developers know this undocumented |
Is there a reason why forbidUnknownValues shouldn't be default? It seems like an issue that class-validator has a security vulnerability in it's default state. |
@vlapo was this issue ever addressed? |
@vlapo @xiaofen9 What's going on with this issue? Can you please provide an update. |
Historical reason, it is a breaking change. |
Note to self: handle in class-transformer as well before closing this issue. |
Does "forbidUnknownValue: true" prevent this issue entirely or only mitigate it? I want to start using class-validator in my project but it is concerning that such an important security issue has remained open since October last year. I will have trouble convincing my security department that everything is ok when this package is reported as "High Risk" in their reports. An actual fix to the package would be very much preferred. |
@NoNameProvided when would this be resolved, any particular timeline planned for it. |
@donnd-t It prevents this issue. The |
I am kind of reluctant pushing out breaking changes one by one, my hope is to collect them and make one release where all the quirks are disabled by default, but there is so much stuff to do. |
Hey, just wondering if we have any plan to fix this in the future? |
@NoNameProvided I don't really understand why not set the default value of |
Any update on this? Same issue; can't use this library because it's being flagged by Nexus |
Lots of people are going to come here now that GitHub has opened this as a critical severity: GHSA-fj58-h2fr-3pp2. What will a PR to fix this look like? Should we set |
Pull request #1403 is now ready for review: changes the default value for I'd appreciate it if maintainers could take a look at it in the next few days. |
Hi @NoNameProvided |
The class-transformer + class-validator setup is not vulnerable to this issue. |
It might be a better approach to let |
Any update on this issue ? |
I'd like to fix this it's showing up in my tests as critical: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18413 |
Any updates or ETA on a fix for this? Ditto on appearing as a critical vuln in our project. |
Related discussion: #1422. The provided POC doesn't result in a bypass since at least 2021 October 22. (So for almost a year) |
This feature/fix has been released in |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
With this vulnerability, an attacker can bypass any security checks enforced by class-validator.
When class-validator is used to validate user-input, the attributes in the user-input object will be transformed into the validation class instance.
However, the transforming procedure will overwrite the internal attribute of validation class instance (e.g., constructor attribute) if the attacker injects an attribute with the same name into user-input. Once this internal attribute being overwritten, class-validator will be bypassed.
PoC
Our suggestion is that class-validator should check the integrity of the constructor: if it is being corrupted, the validation should automatically fail.
The text was updated successfully, but these errors were encountered: