Fix/1791 validate error leak body (#1800)

* fix: race conditions

* refactor(test): centralize integration utils methods

* test: body value cannot appear in validate error

* fix: prevent leak value in body validate error

* chore: lint

Author: jackey8616

packages/runtime/src/routeGeneration/templates/express/expressTemplateService.ts

@@ -70,10 +70,22 @@ export class ExpressTemplateService extends TemplateService<ExpressApiHandlerPar
           return this.validationService.ValidateParam(param, request.params[name], name, fieldErrors, false, undefined);
         case 'header':
           return this.validationService.ValidateParam(param, request.header(name), name, fieldErrors, false, undefined);
-        case 'body':
-          return this.validationService.ValidateParam(param, request.body, name, fieldErrors, true, undefined);
-        case 'body-prop':
-          return this.validationService.ValidateParam(param, request.body?.[name], name, fieldErrors, true, 'body.');
+        case 'body': {
+          const bodyFieldErrors: FieldErrors = {};
+          const bodyArgs = this.validationService.ValidateParam(param, request.body, name, bodyFieldErrors, true, undefined);
+          Object.keys(bodyFieldErrors).forEach(key => {
+            fieldErrors[key] = { message: bodyFieldErrors[key].message };
+          });
+          return bodyArgs;
+        }
+        case 'body-prop': {
+          const bodyPropFieldErrors: FieldErrors = {};
+          const bodyPropArgs = this.validationService.ValidateParam(param, request.body?.[name], name, bodyPropFieldErrors, true, 'body.');
+          Object.keys(bodyPropFieldErrors).forEach(key => {
+            fieldErrors[key] = { message: bodyPropFieldErrors[key].message };
+          });
+          return bodyPropArgs;
+        }
         case 'formData': {
           const files = Object.values(args).filter(p => p.dataType === 'file' || (p.dataType === 'array' && p.array && p.array.dataType === 'file'));
           if ((param.dataType === 'file' || (param.dataType === 'array' && param.array && param.array.dataType === 'file')) && files.length > 0) {

packages/runtime/src/routeGeneration/templates/hapi/hapiTemplateService.ts

@@ -93,12 +93,23 @@ export class HapiTemplateService extends TemplateService<HapiApiHandlerParameter
           return this.validationService.ValidateParam(param, request.params[name], name, errorFields, false, undefined);
         case 'header':
           return this.validationService.ValidateParam(param, request.headers[name], name, errorFields, false, undefined);
-        case 'body':
-          return this.validationService.ValidateParam(param, request.payload, name, errorFields, true, undefined);
+        case 'body': {
+          const bodyFieldErrors: FieldErrors = {};
+          const result = this.validationService.ValidateParam(param, request.payload, name, bodyFieldErrors, true, undefined);
+          Object.keys(bodyFieldErrors).forEach(key => {
+            errorFields[key] = { message: bodyFieldErrors[key].message };
+          });
+          return result;
+        }
         case 'body-prop': {
           const descriptor = Object.getOwnPropertyDescriptor(request.payload, name);
           const value = descriptor ? descriptor.value : undefined;
-          return this.validationService.ValidateParam(param, value, name, errorFields, true, 'body.');
+          const bodyFieldErrors: FieldErrors = {};
+          const result = this.validationService.ValidateParam(param, value, name, bodyFieldErrors, true, 'body.');
+          Object.keys(bodyFieldErrors).forEach(key => {
+            errorFields[key] = { message: bodyFieldErrors[key].message };
+          });
+          return result;
         }
         case 'formData': {
           const descriptor = Object.getOwnPropertyDescriptor(request.payload, name);

packages/runtime/src/routeGeneration/templates/koa/koaTemplateService.ts

@@ -75,12 +75,22 @@ export class KoaTemplateService extends TemplateService<KoaApiHandlerParameters,
         case 'body': {
           const descriptor = Object.getOwnPropertyDescriptor(context.request, 'body');
           const value = descriptor ? descriptor.value : undefined;
-          return this.validationService.ValidateParam(param, value, name, errorFields, true, undefined);
+          const bodyFieldErrors: FieldErrors = {};
+          const result = this.validationService.ValidateParam(param, value, name, bodyFieldErrors, true, undefined);
+          Object.keys(bodyFieldErrors).forEach((key) => {
+            errorFields[key] = { message: bodyFieldErrors[key].message }
+          });
+          return result;
         }
         case 'body-prop': {
           const descriptor = Object.getOwnPropertyDescriptor(context.request, 'body');
           const value = descriptor ? descriptor.value[name] : undefined;
-          return this.validationService.ValidateParam(param, value, name, errorFields, true, 'body.');
+          const bodyFieldErrors: FieldErrors = {};
+          const result = this.validationService.ValidateParam(param, value, name, bodyFieldErrors, true, 'body.');
+          Object.keys(bodyFieldErrors).forEach((key) => {
+            errorFields[key] = { message: bodyFieldErrors[key].message }
+          });
+          return result;
         }
         case 'formData': {
           const files = Object.values(args).filter(p => p.dataType === 'file' || (p.dataType === 'array' && p.array && p.array.dataType === 'file'));

tests/fixtures/controllers/validateController.ts

@@ -1,4 +1,4 @@
-import { Body, Get, Post, Query, Route } from '@tsoa/runtime';
+import { Body, BodyProp, Get, Post, Query, Route } from '@tsoa/runtime';
 import { ValidateMapStringToAny, ValidateMapStringToNumber, ValidateModel } from './../testModel';
 
 export interface ValidateDateResponse {
@@ -19,6 +19,10 @@ export interface ValidateStringResponse {
   quotedPatternValue: string;
 }
 
+export interface ValidateBodyPropResponse {
+  name: string;
+}
+
 @Route('Validate')
 export class ValidateController {
   /**
@@ -134,6 +138,11 @@ export class ValidateController {
     return Promise.resolve(body);
   }
 
+  @Post('body-prop')
+  public bodyPropValidate(@BodyProp('name') name: string): Promise<ValidateBodyPropResponse> {
+    return Promise.resolve({ name: `${name}-validated` });
+  }
+
   @Post('map')
   public async getNumberBodyRequest(@Body() map: ValidateMapStringToNumber): Promise<number[]> {
     return Object.keys(map).map(key => map[key]);

tests/fixtures/custom/custom-route-generator/templates/models.hbs

@@ -43,10 +43,22 @@ export function getValidatedArgs(args: any, event: any): any[] {
                 return validationService.ValidateParam(args[key], event.pathParameters[name], name, fieldErrors, false, undefined);
             case 'header':
                 return validationService.ValidateParam(args[key], event.headers[name], name, fieldErrors, false, undefined);
-            case 'body':
-                return validationService.ValidateParam(args[key], eventBody, name, fieldErrors, true, undefined);
-            case 'body-prop':
-                return validationService.ValidateParam(args[key], eventBody[name], name, fieldErrors, true, 'body.');
+            case 'body': {
+                const bodyFieldErrors: FieldErrors = {};
+                const bodyArgs = validationService.ValidateParam(args[key], eventBody, name, bodyFieldErrors, true, undefined);
+                Object.keys(bodyFieldErrors).forEach((key) => {
+                  fieldErrors[key] = { message: bodyFieldErrors[key].message }
+                });
+                return bodyArgs;
+            }
+            case 'body-prop': {
+                const bodyPropFieldErrors: FieldErrors = {};
+                const bodyPropArgs = validationService.ValidateParam(args[key], eventBody[name], name, bodyPropFieldErrors, true, 'body.');
+                Object.keys(bodyPropFieldErrors).forEach((key) => {
+                  fieldErrors[key] = { message: bodyPropFieldErrors[key].message }
+                });
+                return bodyPropArgs;
+            }
             case 'formData':
                 throw new Error('Multi-part form data not supported yet');
             case 'res':

tests/fixtures/custom/custom-tsoa-template.ts.hbs

@@ -125,20 +125,32 @@ export function RegisterRoutes(app: any) {
         const values = Object.keys(args).map(function(key) {
             const name = args[key].name;
             switch (args[key].in) {
-            case 'request':
-                return request;
-            case 'request-prop':
-                return ValidateParam(args[key], request[name], models, name, errorFields, false, undefined, {{{json minimalSwaggerConfig}}});
-            case 'query':
-                return ValidateParam(args[key], request.query[name], models, name, errorFields, false, undefined, {{{json minimalSwaggerConfig}}});
-            case 'path':
-                return ValidateParam(args[key], request.params[name], models, name, errorFields, false, undefined, {{{json minimalSwaggerConfig}}});
-            case 'header':
-                return ValidateParam(args[key], request.header(name), models, name, errorFields, false, undefined, {{{json minimalSwaggerConfig}}});
-            case 'body':
-                return ValidateParam(args[key], request.body, models, name, errorFields, true, undefined, {{{json minimalSwaggerConfig}}});
-            case 'body-prop':
-                return ValidateParam(args[key], request.body[name], models, name, errorFields, true, undefined, {{{json minimalSwaggerConfig}}});
+                case 'request':
+                    return request;
+                case 'request-prop':
+                    return ValidateParam(args[key], request[name], models, name, errorFields, false, undefined, {{{json minimalSwaggerConfig}}});
+                case 'query':
+                    return ValidateParam(args[key], request.query[name], models, name, errorFields, false, undefined, {{{json minimalSwaggerConfig}}});
+                case 'path':
+                    return ValidateParam(args[key], request.params[name], models, name, errorFields, false, undefined, {{{json minimalSwaggerConfig}}});
+                case 'header':
+                    return ValidateParam(args[key], request.header(name), models, name, errorFields, false, undefined, {{{json minimalSwaggerConfig}}});
+                case 'body': {
+                    const bodyFieldErrors: FieldErrors = {};
+                    const bodyArgs = ValidateParam(args[key], request.body, models, name, bodyFieldErrors, true, undefined, {{{json minimalSwaggerConfig}}});
+                    Object.keys(bodyFieldErrors).forEach((key) => {
+                      errorFields[key] = { message: bodyFieldErrors[key].message }
+                    });
+                    return bodyArgs;
+                }
+                case 'body-prop': {
+                    const bodyPropFieldErrors: FieldErrors = {};
+                    const bodyPropArgs = ValidateParam(args[key], request.body[name], models, name, bodyPropFieldErrors, true, undefined, {{{json minimalSwaggerConfig}}});
+                    Object.keys(bodyPropFieldErrors).forEach((key) => {
+                      errorFields[key] = { message: bodyPropFieldErrors[key].message }
+                    });
+                    return bodyPropArgs;
+                }
             }
         });