[Question]: Still not understand the security notices on validation docs

[mandaputtra]

As mentioned on docs :

Fastify uses a schema-based approach, and even if it is not mandatory we recommend using JSON Schema to validate your routes and serialize your outputs. Internally, Fastify compiles the schema into a highly performant function.

As both validation and serialization features dynamically evaluate code with new Function(), it is not safe to use them with user-provided data. See Ajv and fast-json-stringify for more details.

Question :

1. So fastify team recomended using .json file to validate and serialize outputs since it uses ajv? or doing it like all the code example on docs?

2. What does 'user-provided data' in security notices mean?

Thanks, 😄

[mcollina]

All code examples in docs are fine.
User-provided data is data inserted by a user into a database for example.

[mandaputtra]

I'm using fastify validation and serialization, to validate user input, so that isn't recommended? Why?

[mcollina]

That is recommended, you are good.

The correct line is:

treat your schema as you would treat your application code.

I’ll clarify the text later on.

[mandaputtra]

Okay thanks now I understand 😄 👍