API-003 critical general

Server-side input validation

All user input is validated on the server using a validation library before processing

Question to ask

"What stops someone from sending you 10MB of garbage as a name field?"

Verification guide

Severity: Critical

All user input must be validated on the server. Client-side validation alone is not sufficient - it can be bypassed.

Check automatically:

  1. Check for validation libraries:
# Node.js
grep -E "\"zod\"|\"joi\"|\"yup\"|\"class-validator\"|\"express-validator\"|\"@sinclair/typebox\"|\"ajv\"" package.json 2>/dev/null

# Python
grep -E "pydantic|marshmallow|cerberus|voluptuous|jsonschema" requirements*.txt pyproject.toml setup.py 2>/dev/null

# Go
grep -E "go-playground/validator|ozzo-validation|govalidator" go.mod 2>/dev/null

# Ruby
grep -E "dry-validation|activemodel|strong_parameters" Gemfile 2>/dev/null
  1. Check validation usage in route handlers:
# Zod/Joi/Yup schema validation
grep -rE "\.parse\(|\.validate\(|\.validateAsync\(|schema\.(parse|validate)" src/ app/ routes/ --include="*.ts" --include="*.js" 2>/dev/null

# Express-validator
grep -rE "body\(|param\(|query\(|validationResult" src/ app/ routes/ --include="*.ts" --include="*.js" 2>/dev/null

# Class-validator decorators
grep -rE "@IsString|@IsNumber|@IsEmail|@IsNotEmpty|@ValidateNested" src/ app/ --include="*.ts" 2>/dev/null

# Pydantic models
grep -rE "class.*BaseModel|Field\(|validator" src/ app/ --include="*.py" 2>/dev/null
  1. Check for validation middleware:
# Middleware patterns
grep -rE "validateRequest|validateBody|validationMiddleware|zodMiddleware" src/ app/ lib/ 2>/dev/null

# Request body parsing with validation
grep -rE "app\.use.*json|bodyParser|express\.json" src/ app/ 2>/dev/null
  1. Check for unvalidated req.body usage:
# Direct req.body access without validation (potential red flag)
grep -rE "req\.body\." src/ app/ routes/ --include="*.ts" --include="*.js" 2>/dev/null | head -20

# Check if validation happens before these usages
# (Manual review needed)
  1. Check for error responses on invalid input:
# 400 Bad Request responses
grep -rE "400|BadRequest|ValidationError|Invalid" src/ app/ --include="*.ts" --include="*.js" --include="*.py" 2>/dev/null | head -10

Ask user:

  • "What validation library do you use?"
  • "Are all API endpoints validated before processing?"
  • "What happens when validation fails? (400 response?)"

Cross-reference with:

  • API-004 (SQL injection - validation is first line of defense)
  • API-005 (XSS - input validation helps but output encoding is key)

Pass criteria:

  • Validation library in use
  • Request handlers validate input before processing
  • Invalid input returns 400 with helpful error messages

Fail criteria:

  • No validation library found
  • Route handlers trust req.body without validation
  • Validation only exists in frontend code
  • Invalid input causes 500 errors instead of 400

Evidence to capture:

  • Validation library/approach used
  • Sample validated endpoints
  • Error response format for validation failures
  • Any routes that appear to skip validation

Section

31. API Design

API & Security

← Previous

API-002

API deprecation strategy

 Next →

API-004

SQL injection prevention