Do I need to validate, sanitise or escape data whe

2019-04-29 12:32发布

问题:

I have a node / express / sequelize app. I am using the build method in sequelize to create an instances of my foo model.

Foo Controller

 exports.create = function(req, res) {
     var foo = db.Foo.build(req.body);
     foo.save().then(function(){
         // do stuff
     });
 }

Foo Model

module.exports = function(sequelize, DataTypes) {

var Foo = sequelize.define('Foo', 
{
  bar: DataTypes.STRING,
  baz: DataTypes.STRING
}

Does the build method check that the data I am saving is clean or do I need to take some extra precautions here?

回答1:

I prefer to make secondary validation in routes, because:

1) Storing data in a database is one of many things you can do with this data. If you only validate in database then in other places you get not validated data. For example you may need some computation or concatenation before saving it in a database.

2) or when you use one sequelize model in many routes (e.g. User model in customer route and partner route) and you want to make different validation rules.

I always set validation in sequelize models, but this is validation with 'maximum allowable conditions' (e.g. username field never be larger then 200 chars and it is string). I make also routes validation. It is more specific and concrete (e.g. in customer route username max large is 100 but in partner route username may have 150 chars and also check content of this string).

And finally, the strict answer for your question: sequelize validation is mostly for validating format. And this is not enough. Look at my answer NodeJS/express - security for public API endpoint if you save data without correct validation and then serve this data then you are exposed to XSS attack.