# Prisma Missing Input Validation

- ID: prisma-missing-input-validation
- Severity: HIGH
- CWE: Improper Input Validation (CWE-20)
- Languages: JavaScript, TypeScript
- Frameworks: prisma

## Description

Passing req.body directly to Prisma where/data allows users to filter by
unauthorized fields and bypass access controls.

## Detection Message

Prisma {operation} uses unvalidated user input. Validate and whitelist fields before passing to Prisma.

## Remediation

Validate and whitelist fields with Zod before Prisma queries.

```typescript
import { z } from 'zod';

const getUsersInput = z.object({
  role: z.enum(['user', 'moderator']).optional(),
  status: z.enum(['active', 'inactive']).optional()
});

async function getUsers(req: Request) {
  const input = getUsersInput.parse(req.query);
  return await prisma.user.findMany({ where: input });
}
```

Learn more: https://shoulder.dev/learn/typescript/cwe-20/prisma-missing-input-validation

## Documentation

[object Object]

## Related Rules

- **FastAPI Missing Request Validation** [MEDIUM]: 
- **Business Logic Input Validation** [MEDIUM]: 
- **Echo Missing Input Validation** [MEDIUM]: 
- **Fiber Missing Input Validation** [MEDIUM]: 
- **Gin Missing Input Validation** [MEDIUM]: