Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error on non-number limit rather than ignoring #207

Open
wants to merge 6 commits into
base: master
Choose a base branch
from

Conversation

jdleesmiller
Copy link

Currently if you set a configuration limit, such as fileSize, to a string, the default is silently used instead.

Clearly passing a string is wrong (mea culpa!), but it is an easy mistake to make, because these limits are often set from environment variables. The result is that fileSize gets set to its default value of Infinity rather than the intended limit in the env var, leaving the app with no limit on the size of the files it would try to process.

A few seconds of searching on GitHub reveals I am not alone in making this blunder:

In my case, I had an app using node-config:

limits: {
    files: 1,
    fileSize: config.get('maxFileUploadSize')
  }

which was OK when the default limit came from a JSON config file and was a number. But then one day I added an environment variable override, so config.get returned a string, which caused fileSize to actually get the default value of Infinity.

Here I've proposed making it an error to do this. Doing so without a lot of repetition required making a helper function to get the limit from config and validate it.

I think this would be considered a breaking change. Some apps that are currently running insecurely without upload limits would instead crash on boot. That's not great either, of course, but I think on balance it would be better to fail fast rather than to run silently in an unsafe way.

lib/utils.js Outdated Show resolved Hide resolved
lib/utils.js Outdated Show resolved Hide resolved
lib/utils.js Outdated Show resolved Hide resolved
lib/utils.js Outdated Show resolved Hide resolved
@jdleesmiller
Copy link
Author

Thanks for the quick feedback @mscdex ! I have accepted code review suggestions and added the tests for null and NaN.

@jdleesmiller
Copy link
Author

@charmander @mscdex Thanks! Now using strictEqual.

@Uzlopak Uzlopak mentioned this pull request Nov 29, 2021
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants