Merge pull request #170 from peterjanes/master

Don't allow non-numeric characters when parsing the `number` type.
APIDevTools · Aug 1, 2020 · cbac12d · cbac12d
2 parents e9327e6 + 2a8c1b7
commit cbac12d
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/lib/helpers/json-schema.js b/lib/helpers/json-schema.js
@@ -278,7 +278,7 @@ function parseNumber (schema, value, propPath) {
   value = getValueToValidate(schema, value);
 
   // Make sure it's a properly-formatted number
-  let parsedValue = parseFloat(value);
+  let parsedValue = value === "" ? NaN : Number(value);
   if (_.isNaN(parsedValue) || !_.isFinite(parsedValue)) {
     throw ono({ status: 400 }, '"%s" is not a valid numeric value', propPath || value);
   }

diff --git a/test/specs/json-schema/parse/parse-number.spec.js b/test/specs/json-schema/parse/parse-number.spec.js
@@ -177,4 +177,19 @@ describe("JSON Schema - parse number params", () => {
       expect(err.message).to.contain('Missing required header parameter "Test"');
     }));
   });
+
+  it("should be more strict than parseFloat()", (done) => {
+    let schema = {
+      type: "number",
+      required: true
+    };
+
+    let express = helper.parse(schema, "1z", done);
+
+    express.use("/api/test", helper.spy((err, req, res, next) => {
+      expect(err).to.be.an.instanceOf(Error);
+      expect(err.status).to.equal(400);
+      expect(err.message).to.contain('"1z" is not a valid numeric value');
+    }));
+  });
 });