Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't throw a TypeError when trying to decode a sum value that contains a dangerous string #650

Merged
merged 1 commit into from
Jul 28, 2022

Conversation

thewilkybarkid
Copy link
Contributor

I've recently started to see sporadic test failures for https://github.com/PREreview/prereview.org/blob/f1909e23b7d8a27d1d97e922dbdffa42a5b84570/test/write-review.test.ts#L1560-L1617. The test is probably hard to follow, but it's failing when using https://github.com/PREreview/prereview.org/blob/f1909e23b7d8a27d1d97e922dbdffa42a5b84570/src/write-review.ts#L59-L67 to decode a value generated by fc.record({ competingInterests: fc.string() }, { withDeletedKeys: true })

The error is:

Stack trace: TypeError: members[v].decode is not a function

  at decode (node_modules/io-ts/lib/Kleisli.js:237:39)

A failing value looks like this:

{ competingInterests: 'toString' }

Fast-Check recently added a failure to generate strings containing JavaScript keywords and the like (dubzzz/fast-check#3043), revealing that io-ts crashes when trying to decode a sum type as the 'in' operator finds inherited properties such as 'toString'.

I looked at using Fast-Check in the test, but it needs to be upgraded and causes its other usages to fail, so I've just used a built-in property name instead.

@gcanti gcanti merged commit 73d0ea7 into gcanti:master Jul 28, 2022
@thewilkybarkid thewilkybarkid deleted the sum-prototype branch July 28, 2022 13:46
@gcanti
Copy link
Owner

gcanti commented Jul 29, 2022

Thanks @thewilkybarkid, patch released

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants