Missing Input Validation

Request body used without validation

criticalSecurityinput-validation

Why this matters

Unvalidated input is the root cause of injection attacks, type confusion, and data corruption. AI tools trust the request shape matches what they expect — attackers don't.

✗ Bad

export async function POST(req: Request) {
  const { email, role } = await req.json();
  await db.user.create({ data: { email, role } });
  return Response.json({ ok: true });
}

✓ Good

import { z } from "zod";

const schema = z.object({
  email: z.string().email(),
  role: z.enum(["user", "admin"]),
});

export async function POST(req: Request) {
  const body = schema.parse(await req.json());
  await db.user.create({ data: body });
  return Response.json({ ok: true });
}

How to fix

Validate every request body with Zod, Valibot, or a similar schema library before using the data. Reject invalid payloads with a 400 response.

All rules