From d4eea3b8d1b8072b2101e2a82c0b34ff0fce798e Mon Sep 17 00:00:00 2001 From: Prakash Maria Liju P <ppml38@gmail.com> Date: Tue, 12 Nov 2024 10:47:34 +0530 Subject: [PATCH] Add a fix for the vulnerability in zod literal validation message, which was exposing sensitive information in error message. --- deno/lib/__tests__/error.test.ts | 8 ++------ deno/lib/locales/en.ts | 5 +---- src/__tests__/error.test.ts | 8 ++------ src/locales/en.ts | 5 +---- 4 files changed, 6 insertions(+), 20 deletions(-) diff --git a/deno/lib/__tests__/error.test.ts b/deno/lib/__tests__/error.test.ts index e66b185eb..36cf630ec 100644 --- a/deno/lib/__tests__/error.test.ts +++ b/deno/lib/__tests__/error.test.ts @@ -498,9 +498,7 @@ test("literal default error message", () => { } catch (err) { const zerr: z.ZodError = err as any; expect(zerr.issues.length).toEqual(1); - expect(zerr.issues[0].message).toEqual( - `Invalid literal value, expected "Tuna"` - ); + expect(zerr.issues[0].message).toEqual(`Invalid literal value`); } }); @@ -510,9 +508,7 @@ test("literal bigint default error message", () => { } catch (err) { const zerr: z.ZodError = err as any; expect(zerr.issues.length).toEqual(1); - expect(zerr.issues[0].message).toEqual( - `Invalid literal value, expected "12"` - ); + expect(zerr.issues[0].message).toEqual(`Invalid literal value`); } }); diff --git a/deno/lib/locales/en.ts b/deno/lib/locales/en.ts index 0665af275..be98093c5 100644 --- a/deno/lib/locales/en.ts +++ b/deno/lib/locales/en.ts @@ -12,10 +12,7 @@ const errorMap: ZodErrorMap = (issue, _ctx) => { } break; case ZodIssueCode.invalid_literal: - message = `Invalid literal value, expected ${JSON.stringify( - issue.expected, - util.jsonStringifyReplacer - )}`; + message = `Invalid literal value`; break; case ZodIssueCode.unrecognized_keys: message = `Unrecognized key(s) in object: ${util.joinValues( diff --git a/src/__tests__/error.test.ts b/src/__tests__/error.test.ts index b1942743b..daf3977d3 100644 --- a/src/__tests__/error.test.ts +++ b/src/__tests__/error.test.ts @@ -497,9 +497,7 @@ test("literal default error message", () => { } catch (err) { const zerr: z.ZodError = err as any; expect(zerr.issues.length).toEqual(1); - expect(zerr.issues[0].message).toEqual( - `Invalid literal value, expected "Tuna"` - ); + expect(zerr.issues[0].message).toEqual(`Invalid literal value`); } }); @@ -509,9 +507,7 @@ test("literal bigint default error message", () => { } catch (err) { const zerr: z.ZodError = err as any; expect(zerr.issues.length).toEqual(1); - expect(zerr.issues[0].message).toEqual( - `Invalid literal value, expected "12"` - ); + expect(zerr.issues[0].message).toEqual(`Invalid literal value`); } }); diff --git a/src/locales/en.ts b/src/locales/en.ts index 11325a95b..b99104837 100644 --- a/src/locales/en.ts +++ b/src/locales/en.ts @@ -12,10 +12,7 @@ const errorMap: ZodErrorMap = (issue, _ctx) => { } break; case ZodIssueCode.invalid_literal: - message = `Invalid literal value, expected ${JSON.stringify( - issue.expected, - util.jsonStringifyReplacer - )}`; + message = `Invalid literal value`; break; case ZodIssueCode.unrecognized_keys: message = `Unrecognized key(s) in object: ${util.joinValues(