Skip to content

Joi.string().uri() accepts "https://" as a valid url #1732

New issue
New issue
Closed
Closed
Joi.string().uri() accepts "https://" as a valid url#1732
Assignees
hueniverse
Labels
bugBug or defect
Milestone
16.0.0
@papandreou

Description

@papandreou
papandreou
opened on Feb 25, 2019

Context

  • node version: 10.11.0
  • joi version: 14.3.1
  • environment (node, browser): node
  • used with (hapi, standalone, ...): standalone

What are you trying to achieve or the steps to reproduce ?

I'd like to sanity check urls that my users enter, but Joi.string().uri() accepts a url without a hostname at all:

const schema = Joi.string().uri()
console.log(Joi.validate('https://', schema));

Which result you had ?

{ error: null, ...}

What did you expect ?

That a host name is required. It's not very helpful to allow "https://" in most scenarios.

None of the options for uri help with this.

It seems like it comes down to a very liberal regName regexp that also allows the empty string:

joi/lib/types/string/rfc3986.js

Line 149 in bc09c65

const regName = '[' + unreserved + pctEncoded + subDelims + ']{0,255}';

I understand that the idea behind rfc3986.js is to do a 1-to-1 translation of the URL RFC, and that reg-name is defined exactly like this in https://tools.ietf.org/html/rfc3986#section-3.2.2

... but I'll argue that it's very rare that you want to be that liberal in a validation scenario.

Metadata

Metadata

Assignees

Labels

bugBug or defect

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions