Aspnetcore: Model binding failure should return friendlier message with option to customize it

Created on 23 Jul 2019  路  6Comments  路  Source: dotnet/aspnetcore

Description

Model binding fails due to try parse whitespaced string to decimal property and exposing sensitive info to client.

To Reproduce

Steps to reproduce the behavior:

  1. I have very simple ApiController:
[ApiController]
public class ProductsController
{
    [HttpPost]
    public IActionResult Post([FromBody]CreateProductDto model)
    {    
        model.Id = await service.CreateProduct(model);

        return CreatedAtRoute(
            routeName: "GetProduct", 
            routeValues: new { id = model.Id }, 
            value: model
        );
    }
}
  1. And model:
public class CreateProductDto
{
    [Required(ErrorMessage = "Invalid value")]
    public decimal totalPrice { get; set;}

    public int count { get; set; }
}

  1. And posting json:
    { "totalPrice": " ", "count": " " }

  2. And the following model state error is returned:
    totalPrice: ["Could not convert string to decimal: . Path 'totalPrice', line 1, position 71."] 0: "Could not convert string to decimal: . Path 'totalPrice', line 1, position 71."

Expected behavior

Expected more user friendly message which can be exposed to api client when validating input.

Tried possible solutions

  1. To make model fields strings and then parse and validate them. (not cool solution)
  2. To use Mvc Options.ModelBindingMessageProvider if applicable, but doesn't for that specific case. Would be pretty cool if can.
  3. To use IValidatableObject - as the binding fails before constructing the model, this is not possible.
  4. Using Validatation Attribute - same as above. Model binding fails before that.

Additional info

NET Core SDK (reflecting any global.json):
 Version:   2.1.701
 Commit:    8cf7278aa1

Runtime Environment:
 OS Name:     fedora
 OS Version:  30
 OS Platform: Linux
 RID:         fedora.30-x64
 Base Path:   /usr/share/dotnet/sdk/2.1.701/

Host (useful for support):
  Version: 2.1.12
  Commit:  ccea2e606d

.NET Core SDKs installed:
  2.1.701 [/usr/share/dotnet/sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.All 2.1.12 [/usr/share/dotnet/shared/Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.12 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.1.12 [/usr/share/dotnet/shared/Microsoft.NETCore.App]
External area-mvc enhancement feature-Model-Binding
Source
picture gmarokov
👍2

Most helpful comment

Thanks for contacting us, @gmarokov.
We'll look into providing a mechanism for sanitizing these exceptions after 3.0 release.

picture mkArtakMSFT on 25 Jul 2019
👍2

All 6 comments

Thanks for contacting us, @gmarokov.
We'll look into providing a mechanism for sanitizing these exceptions after 3.0 release.

mkArtakMSFT picture mkArtakMSFT on 25 Jul 2019
👍2

@mkArtakMSFT Is there any current workaround for this issue?

DreamingDevs picture DreamingDevs on 1 May 2020

Thanks for contacting us, @gmarokov.
We'll look into providing a mechanism for sanitizing these exceptions after 3.0 release.

Any update now?

thatpoordev picture thatpoordev on 6 Aug 2020

Any update now?

CriggerMarg picture CriggerMarg on 31 Aug 2020

@mkArtakMSFT Any update now?

1290690484 picture 1290690484 on 20 Sep 2020
😄1

Still no fix for this?

WillJiCar picture WillJiCar on 5 Nov 2020
😄1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Kevenvz picture Kevenvz  路  3Comments
fayezmm picture fayezmm  路  3Comments
TanvirArjel picture TanvirArjel  路  3Comments
markrendle picture markrendle  路  3Comments
mj1856 picture mj1856  路  3Comments