PantsirПанцирь

Input Validation

Level: RequiredOWASP: A03: InjectionCWE: CWE-20Updated: 2025-08-01

Enforce strict input validation at every trust boundary using allow-lists and strong types.

Well-defined, strict input validation prevents a large class of vulnerabilities like injection and deserialization issues.

Principles

  1. Prefer allow-lists over block-lists.
  2. Validate at the boundary (HTTP, message queues, CLIs) before processing.
  3. Use strong types and schema validation where possible.
  4. Normalize inputs before validation (trim, Unicode NFKC when needed).

Examples

Server-side schema validation (TypeScript)

import { z } from "zod";

const UserSchema = z.object({
  id: z.string().uuid(),
  email: z.string().email(),
  age: z.number().int().min(13).max(120),
});

export function validateUser(payload: unknown) {
  return UserSchema.parse(payload);
}

Python input normalization

def normalize_username(s: str) -> str:
    return s.strip().casefold()

Do and Don't

  • Do validate on both client and server (server is authoritative).
  • Do centralize validation to shared utilities.
  • Don't dynamically build SQL; use parameters; still validate business constraints.

References

  • OWASP Cheat Sheet Series: Input Validation
  • CWE-20: Improper Input Validation
Tags
[Validation, Injection, Boundary]