Typescript All Errors Enabled
Description
Detects when Ajv JSON schema validator is configured with allErrors enabled without proper controls. When allErrors is enabled, it can expose sensitive data by returning detailed error messages with internal information, potentially leading to information disclosure vulnerabilities.
Detection Strategy
• Search for Ajv configuration objects or initialization code
• Check if allErrors option is set to true or enabled
• Verify if there are no controls or sanitization on error output
• Flag configurations where detailed error messages could expose sensitive data
Vulnerable code example
import Ajv from 'ajv';
const ajv = new Ajv({ allErrors: true }); // Vulnerable: allErrors option enables detailed error messages that could leak schema information
const settings = { allErrors: true };
const ajv2 = new Ajv(settings); // Vulnerable: passing options that include allErrors: true✅ Secure code example
import Ajv, { Options } from 'ajv';
// Safe: disable allErrors to prevent detailed error messages that could leak schema info
const ajv = new Ajv({ allErrors: false });
// Safe: define settings with secure defaults
const settings: Options = { allErrors: false };
const ajv2 = new Ajv(settings);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.