# Improper Input Validation (CWE-20) The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. **Stack:** Python - Prevalence: 높음 자주 악용됨 - Impact: 높음 6개의 높은 심각도 규칙 - Prevention: 문서화됨 13개의 수정 예시 **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs are safe for processing within the code, or when communicating with other components. When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. ## Prevention 2개의 Shoulder 탐지 규칙을 기반으로 한 Improper Input Validation 예방 전략. ### Python Use Pydantic models with Field validators instead of raw Request objects Validate business-critical inputs with range constraints using Pydantic or manual checks ## Warning Signs - [MEDIUM] FastAPI endpoints that accept raw Request objects instead of Pydantic models - [MEDIUM] business-critical input values (discount, refund, quantity, price) that are used in operations witho ## Consequences - 승인되지 않은 코드 실행 - 애플리케이션 데이터 수정 - DoS - 애플리케이션 데이터 읽기 ## Mitigations - 모든 입력이 악의적이라고 가정하세요. 알려진 안전한 입력만 허용하는 검증 전략을 사용하세요 - 입력 검증 시 관련될 수 있는 모든 속성을 고려하세요 - 악성 또는 잘못된 형식의 입력을 찾는 것에만 의존하지 마세요 ## Detection - Total rules: 13 - Languages: python, go, javascript, typescript ## Rules by Language ### Python (2 rules) - **FastAPI Missing Request Validation** [MEDIUM]: Detects FastAPI endpoints that accept raw Request objects instead of Pydantic models. This bypasses FastAPI's automatic validation and can lead to type confusion and injection vulnerabilities. - Remediation: Use Pydantic models instead of raw Request objects for automatic validation. ```python from pydantic import BaseModel, EmailStr, Field class UserCreate(BaseModel): username: str = Field(min_length=3, max_length=50) email: EmailStr @app.post("/users") async def create_user(user: UserCreate): return {"user": user} ``` Learn more: https://shoulder.dev/learn/python/cwe-20/missing-validation - **Business Logic Input Validation** [MEDIUM]: Detects business-critical input values (discount, refund, quantity, price) that are used in operations without proper validation. Missing validation can lead to financial fraud, inventory errors, or business logic bypass. - Remediation: Validate business-critical inputs with range constraints using Pydantic. ```python from pydantic import BaseModel, Field class DiscountRequest(BaseModel): discount: float = Field(..., ge=0, le=100) quantity: int = Field(..., gt=0) @app.post('/apply-discount') async def apply_discount_route(request: DiscountRequest): apply_discount(request.discount) ``` Learn more: https://shoulder.dev/learn/python/cwe-20/input-validation