Turn onConstructorPoisoning to 'error' (fastify#2243)

This remove an old TODO for v3

build/build-validation.js

@@ -21,8 +21,7 @@ const defaultInitOptions = {
   ignoreTrailingSlash: false,
   maxParamLength: 100,
   onProtoPoisoning: 'error',
-  // TODO v3: default should be 'error'
-  onConstructorPoisoning: 'ignore',
+  onConstructorPoisoning: 'error',
   pluginTimeout: 10000,
   requestIdHeader: 'request-id',
   requestIdLogLabel: 'reqId',

lib/configValidator.js

@@ -20,7 +20,7 @@ var validate = (function() {
       if (data.disableRequestLogging === undefined) data.disableRequestLogging = false;
       if (data.maxParamLength === undefined) data.maxParamLength = 100;
       if (data.onProtoPoisoning === undefined) data.onProtoPoisoning = "error";
-      if (data.onConstructorPoisoning === undefined) data.onConstructorPoisoning = "ignore";
+      if (data.onConstructorPoisoning === undefined) data.onConstructorPoisoning = "error";
       if (data.pluginTimeout === undefined) data.pluginTimeout = 10000;
       if (data.requestIdHeader === undefined) data.requestIdHeader = "request-id";
       if (data.requestIdLogLabel === undefined) data.requestIdLogLabel = "reqId";
@@ -664,7 +664,7 @@ validate.schema = {
     },
     "onConstructorPoisoning": {
       "type": "string",
-      "default": "ignore"
+      "default": "error"
     },
     "pluginTimeout": {
       "type": "integer",
@@ -692,4 +692,4 @@ function customRule0 (schemaParamValue, validatedParamValue, validationSchemaObj
   return true
 }
 
-module.exports.defaultInitOptions = {"connectionTimeout":0,"keepAliveTimeout":5000,"bodyLimit":1048576,"caseSensitive":true,"disableRequestLogging":false,"ignoreTrailingSlash":false,"maxParamLength":100,"onProtoPoisoning":"error","onConstructorPoisoning":"ignore","pluginTimeout":10000,"requestIdHeader":"request-id","requestIdLogLabel":"reqId","http2SessionTimeout":5000}
+module.exports.defaultInitOptions = {"connectionTimeout":0,"keepAliveTimeout":5000,"bodyLimit":1048576,"caseSensitive":true,"disableRequestLogging":false,"ignoreTrailingSlash":false,"maxParamLength":100,"onProtoPoisoning":"error","onConstructorPoisoning":"error","pluginTimeout":10000,"requestIdHeader":"request-id","requestIdLogLabel":"reqId","http2SessionTimeout":5000}

test/internals/initialConfig.test.js

@@ -27,7 +27,7 @@ test('without options passed to Fastify, initialConfig should expose default val
     ignoreTrailingSlash: false,
     maxParamLength: 100,
     onProtoPoisoning: 'error',
-    onConstructorPoisoning: 'ignore',
+    onConstructorPoisoning: 'error',
     pluginTimeout: 10000,
     requestIdHeader: 'request-id',
     requestIdLogLabel: 'reqId',
@@ -238,7 +238,7 @@ test('Should not have issues when passing stream options to Pino.js', t => {
       ignoreTrailingSlash: true,
       maxParamLength: 100,
       onProtoPoisoning: 'error',
-      onConstructorPoisoning: 'ignore',
+      onConstructorPoisoning: 'error',
       pluginTimeout: 10000,
       requestIdHeader: 'request-id',
       requestIdLogLabel: 'reqId',

test/proto-poisoning.test.js

@@ -82,7 +82,7 @@ test('proto-poisoning ignore', t => {
   })
 })
 
-test('constructor-poisoning ignore (default in v2)', t => {
+test('constructor-poisoning error (default in v3)', t => {
   t.plan(3)
 
   const fastify = Fastify()
@@ -102,7 +102,7 @@ test('constructor-poisoning ignore (default in v2)', t => {
       body: '{ "constructor": { "prototype": { "foo": "bar" } } }'
     }, (err, response, body) => {
       t.error(err)
-      t.strictEqual(response.statusCode, 200)
+      t.strictEqual(response.statusCode, 400)
     })
   })
 })
@@ -135,7 +135,7 @@ test('constructor-poisoning error', t => {
 test('constructor-poisoning remove', t => {
   t.plan(4)
 
-  const fastify = Fastify({ onProtoPoisoning: 'remove' })
+  const fastify = Fastify({ onConstructorPoisoning: 'remove' })
   t.tearDown(fastify.close.bind(fastify))
 
   fastify.post('/', (request, reply) => {