Version Packages (#1145)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

packages/arktype-validator/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @hono/arktype-validator
 
+## 2.0.1
+
+### Patch Changes
+
+- [#1137](https://github.com/honojs/middleware/pull/1137) [`01cd896e9b3c6a00c3c16ed59e0c3d20f5983918`](https://github.com/honojs/middleware/commit/01cd896e9b3c6a00c3c16ed59e0c3d20f5983918) Thanks [@MonsterDeveloper](https://github.com/MonsterDeveloper)! - Don't return restricted data fields on error responses
+
 ## 2.0.0
 
 ### Major Changes

packages/arktype-validator/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hono/arktype-validator",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "ArkType validator middleware",
   "type": "module",
   "main": "dist/index.js",

packages/arktype-validator/src/index.test.ts

@@ -35,6 +35,17 @@ describe('Basic', () => {
     }
   )
 
+  app.get(
+    '/headers',
+    arktypeValidator(
+      'header',
+      type({
+        'User-Agent': 'string',
+      })
+    ),
+    (c) => c.json({ success: true, userAgent: c.header('User-Agent') })
+  )
+
   type Actual = ExtractSchema<typeof route>
   type Expected = {
     '/author': {
@@ -98,6 +109,22 @@ describe('Basic', () => {
     const data = (await res.json()) as { success: boolean }
     expect(data['success']).toBe(false)
   })
+
+  it("doesn't return cookies after headers validation", async () => {
+    const req = new Request('http://localhost/headers', {
+      headers: {
+        'User-Agent': 'invalid',
+        Cookie: 'SECRET=123',
+      },
+    })
+
+    const res = await app.request(req)
+    expect(res).not.toBeNull()
+    expect(res.status).toBe(400)
+    const data = (await res.json()) as { succcess: false; errors: type.errors }
+    expect(data.errors).toHaveLength(1)
+    expect(data.errors[0].data).not.toHaveProperty('cookie')
+  })
 })
 
 describe('With Hook', () => {

packages/arktype-validator/src/index.ts

@@ -10,6 +10,10 @@ export type Hook<T, E extends Env, P extends string, O = {}> = (
 
 type HasUndefined<T> = undefined extends T ? true : false
 
+const RESTRICTED_DATA_FIELDS = {
+  header: ['cookie'],
+}
+
 export const arktypeValidator = <
   T extends Type,
   Target extends keyof ValidationTargets,
@@ -54,7 +58,31 @@ export const arktypeValidator = <
       return c.json(
         {
           success: false,
-          errors: out,
+          errors:
+            target in RESTRICTED_DATA_FIELDS
+              ? out.map((error) => {
+                  const restrictedFields =
+                    RESTRICTED_DATA_FIELDS[target as keyof typeof RESTRICTED_DATA_FIELDS] || []
+
+                  if (
+                    error &&
+                    typeof error === 'object' &&
+                    'data' in error &&
+                    typeof error.data === 'object' &&
+                    error.data !== null &&
+                    !Array.isArray(error.data)
+                  ) {
+                    const dataCopy = { ...(error.data as Record<string, unknown>) }
+                    for (const field of restrictedFields) {
+                      delete dataCopy[field]
+                    }
+
+                    error.data = dataCopy
+                  }
+
+                  return error
+                })
+              : out,
         },
         400
       )