audit-argument-checks
does not make sure that you have check
ed all arguments that you have defined, it makes sure that you have check
ed all arguments that were passed.1
考虑以下示例:
Meteor.methods({
whale : function(foo) {
return 'Hello ground!'
}
})
如果我们从客户端调用此方法,则服务器上会发生以下情况:
Meteor.call('whale') //Nothing happens
Meteor.call('whale', 'foo') //Exception
不传递参数意味着没有例外audit-argument-checks
如果没有的话就会出现check
已被写入。
然而,这也意味着传递太多参数会让你的方法抛出异常。
Meteor.methods({
ground : function(whale) {
check(whale, Patterns.cetacea)
answerTo(whale)
}
})
Meteor.call('ground', MobyDick) //All is fine
Meteor.call('ground', MobyDick, true) //Exception
如果您遇到此问题,则意味着您做错了事情:客户端正在传递您不知道的参数。如果在开发过程中发生这种情况,则意味着您不知道哪些参数被传递给您的方法,这可能是一个问题。
It can also happen that installed packages use methods with more parameters than expected. Refer to their respective documentations to know exactly what parameters are passed (or just write console.log(arguments)
) so that you can make sure to write proper secure code.2
1 : See https://github.com/meteor/meteor/blob/devel/packages/ddp-server/livedata_server.js#L1686
2 : Or just write dirty insecure code - check(arguments, [Match.any])
as per the docs