-
Notifications
You must be signed in to change notification settings - Fork 343
fix: dashboard patch api should not allow 'id' in updates #909
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: dashboard patch api should not allow 'id' in updates #909
Conversation
⚠️ No Changeset found
Latest commit: e0c870f
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
@mGolestan98 is attempting to deploy a commit to the HyperDX Team on Vercel.
A member of the Team first needs to authorize it.
actually 2 things that i just realized:
- The
idfield isn’t used in the Mongo schema—only_idis—so it shouldn’t cause any issues. However,_idstill appears in the request body and should be stripped out. - I attempted to use
Zodto strip unknown parameters not defined in the schema, but it doesn’t seem to be working as expected. I’ll dig into this further after work.
I'm converting this PR to a draft for now.
dhable
commented
Jun 5, 2025
I think the problem is that zod is allowing undefined fields by default. Appending .strict() now causes the UI update to the dashboard name to fail because the id is being included:
validateRequest({
params: z.object({
id: objectIdSchema,
}),
body: DashboardWithoutIdSchema.partial().strict(),
})
Response after editing dashboard title:
[
{
"type": "Body",
"errors": {
"issues": [
{
"code": "unrecognized_keys",
"keys": [
"_id",
"team",
"createdAt",
"updatedAt",
"__v",
"id"
],
"path": [],
"message": "Unrecognized key(s) in object: '_id', 'team', 'createdAt', 'updatedAt', '__v', 'id'"
}
],
"name": "ZodError"
}
}
]
Thanks @dhable. I think using strict would require significant code changes in the frontend apps to sanitize request parameters for all API requests which I believe that would be a harder path to take;
Instead, I’d suggest stripping unknown parameters in all backend API routes using the processRequest function from zod-express-middleware, rather than using validateRequest. With processRequest, that would apply someSchema.strip() and pass the cleaned data to the controller function which validateRequest doesn't.
Also, since zod-express-middleware is deprecated and the functionality we need is pretty minimal, it might make more sense to implement this functionality in the api codebase and just use that - something similar that already i found to exist for validating request headers.
Uh oh!
There was an error while loading. Please reload this page.
Problem
The dashboard PATCH API endpoint was using
DashboardSchema.partial()for request body validation, which allowed theidfield to be included in update requests. This was inconsistent with theupdateDashboardcontroller method, which was already correctly typed to accept schema excluding the id.