chore(deps): update dependency class-validator to v0.14.0 [security] (#…

…1968)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change | Age | Adoption | Passing |
Confidence |
|---|---|---|---|---|---|---|---|
| class-validator | | | [`0.13.2` ->
`0.14.0`](https://renovatebot.com/diffs/npm/class-validator/0.13.2/0.14.0)
|
[![age](https://badges.renovateapi.com/packages/npm/class-validator/0.14.0/age-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://badges.renovateapi.com/packages/npm/class-validator/0.14.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://badges.renovateapi.com/packages/npm/class-validator/0.14.0/compatibility-slim/0.13.2)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://badges.renovateapi.com/packages/npm/class-validator/0.14.0/confidence-slim/0.13.2)](https://docs.renovatebot.com/merge-confidence/)
|
| [class-validator](https://togithub.com/typestack/class-validator) |
dependencies | minor | [`0.13.2` ->
`0.14.0`](https://renovatebot.com/diffs/npm/class-validator/0.13.2/0.14.0)
|
[![age](https://badges.renovateapi.com/packages/npm/class-validator/0.14.0/age-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://badges.renovateapi.com/packages/npm/class-validator/0.14.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://badges.renovateapi.com/packages/npm/class-validator/0.14.0/compatibility-slim/0.13.2)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://badges.renovateapi.com/packages/npm/class-validator/0.14.0/confidence-slim/0.13.2)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

#### [CVE-2019-18413](https://nvd.nist.gov/vuln/detail/CVE-2019-18413)

In TypeStack class-validator, `validate()` input validation can be
bypassed because certain internal attributes can be overwritten via a
conflicting name. Even though there is an optional `forbidUnknownValues`
parameter that can be used to reduce the risk of this bypass, this
option is not documented and thus most developers configure input
validation in the vulnerable default manner. With this vulnerability,
attackers can launch SQL Injection or XSS attacks by injecting arbitrary
malicious input.

The default settings for `forbidUnknownValues` has been changed to
`true` in 0.14.0.

NOTE: a software maintainer agrees with the "is not documented" finding
but suggests that much of the responsibility for the risk lies in a
different product.

---

### Release Notes

<details>
<summary>typestack/class-validator</summary>

###
[`v0.14.0`](https://togithub.com/typestack/class-validator/blob/HEAD/CHANGELOG.md#&#8203;0140-httpsgithubcomtypestackclass-validatorcomparev0132v0140-2022-12-09)

[Compare
Source](https://togithub.com/typestack/class-validator/compare/v0.13.2...v0.14.0)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/JellyfishSDK/jellyfish).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4xMDAuMSIsInVwZGF0ZWRJblZlciI6IjM0LjEwOS4xIn0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Fuxing Loh <[email protected]>

apps/package.json

@@ -41,7 +41,7 @@
     "cache-manager": "4.1.0",
     "cbor": "8.1.0",
     "class-transformer": "0.5.1",
-    "class-validator": "0.13.2",
+    "class-validator": "0.14.0",
     "cross-fetch": "3.1.5",
     "graphology": "0.25.1",
     "graphology-components": "1.5.4",

apps/playground-api/src/controllers/RpcController.ts

@@ -10,6 +10,8 @@ import {
   ArgumentMetadata
 } from '@nestjs/common'
 import { ApiClient } from '@defichain/jellyfish-api-core'
+import { IsArray, IsOptional } from 'class-validator'
+import { Transform } from 'class-transformer'
 
 /**
  * MethodWhitelist is a whitelist validation pipe to check whether a plain old rpc can be
@@ -63,7 +65,10 @@ export class MethodBlacklist implements PipeTransform {
 }
 
 export class CallRequest {
-  params?: any[]
+  @IsOptional()
+  @IsArray()
+  @Transform(({ value }) => value !== undefined ? value : [])
+  params!: any[]
 }
 
 @Controller('/v0/playground/rpc')

apps/whale-api/src/module.api/rpc.controller.spec.ts

@@ -38,7 +38,7 @@ it('should getblockchaininfo via deprecated endpoint', async () => {
 it('should getblockchaininfo via JSON RPC 1.0', async () => {
   const result = await controller.post({
     method: 'getblockchaininfo'
-  })
+  } as any)
   expect(result.result.chain).toStrictEqual('regtest')
 })
 

apps/whale-api/src/module.api/rpc.controller.ts

@@ -54,7 +54,10 @@ export class MethodWhitelist implements PipeTransform {
 }
 
 export class JSONRPCParams {
-  params?: any[]
+  @IsOptional()
+  @IsArray()
+  @Transform(({ value }) => value !== undefined ? value : [])
+  params!: any[]
 }
 
 export class JSONRPC {
@@ -68,7 +71,7 @@ export class JSONRPC {
   @IsOptional()
   @IsArray()
   @Transform(({ value }) => value !== undefined ? value : [])
-  params?: any[]
+  params!: any[]
 }
 
 @Controller('/rpc')
@@ -79,7 +82,7 @@ export class RpcController {
   @Post()
   async post (@Body() rpc: JSONRPC): Promise<ApiRpcResponse> {
     try {
-      const result = await this.client.call(rpc.method, rpc.params ?? [], 'lossless')
+      const result = await this.client.call(rpc.method, rpc.params, 'lossless')
       return new ApiRpcResponse(result)
     } catch (err: any) {
       if (err instanceof RpcApiError || err.payload !== undefined) {