PersistedModel.updateAll() ignores validation

[florianheinze]

I have this model:

{
  "name": "Foo",
  "strict": "validate",
  "options": { "validateUpsert": true },
  "properties": {
    "name": {
      "type": "String",
      "min": 5
    }
  }
}

If I create a new entry with a three character name, I get, as expected, a validation error. However if I create a new entry with a longer name and then update that name to three characters, there is no validation error and the change is written to the DB.

As far as I can tell the whole validation is not triggered when updateAll() is used.

Steps to reproduce:

• Clone repository https://github.com/onBill/loopback-sandbox-validation
• Run node .
• The essential code is found in server/boot/foo.js.

[Amir-61]

Yes thats seems a bug to me; the validation is not implemented for updateAll/ update

[dmitru]

Any updates on the issue?

[Amir-61]

@dmitru IIRC updateAll/update do not have validation; would you like to submit a patch?

[ahmed-abdulmoniem]

This is still not implemented?

Also, updateAttributes the same?

[tvdstaaij]

Would like to note that this is a very serious issue, this makes it very easy to corrupt instances through the API. These instances will then fail to validate when they are partially updated with a different set of properties than the one(s) that were corrupted. It's even worse with NoSQL backends: I strongly suspect this issue prevents strict mode from being enforced with updateAll, and adding random properties outside of the model spec would prevent instances from ever being instance-updateable again (due to #759).

I would even consider this a security issue since it allows users to sabotage app features for other users.

[vkruoso]

This is really a consistency problem that will actually allow a malicious user to overcome the developer assertions about its data. Is there any update on this?

[Amir-61]

@kjdelisle @strongloop/sq-lb-apex PTAL ☝️

[ssh24]

The issue should be fixed on the upcoming version of juggler. Thank you for your patience!

[bajtos]

Hello, I think the solution landed via #771 is a breaking change, see #1445 (comment), and we should rework it to preserve backwards compatibility, before the new version of juggler is released.

[bajtos]

Essentially, we need to run a partial validation that will validate only properties affected by updateAttribtes or updateAll request. I am afraid this is way too difficult to achieve in the current LB 3.x code base. We are aware of this issue and would like to eventually address it in LoopBack 4.x (or later) - see the discussion in loopbackio/loopback-next#1872.

I am going to lock this issue down, in order to move the discussion to loopbackio/loopback-next#1872.