# tRPC Procedure Missing Input Validation

- ID: trpc-missing-input-validation
- Severity: HIGH
- CWE: Improper Input Validation (CWE-20)
- Languages: JavaScript, TypeScript
- Frameworks: trpc

## Description

tRPC procedures without .input() validation accept unvalidated payloads at
runtime, enabling injection and type confusion attacks.

## Detection Message

Procedure '{procedure}' accepts user input but lacks .input() validation. Add Zod schema to validate runtime data.

## Remediation

Add Zod schema validation with .input() to all procedures.

```typescript
import { z } from 'zod';

export const userRouter = router({
  getUser: publicProcedure
    .input(z.object({
      userId: z.number().int().positive()
    }))
    .query(async ({ input }) => {
      return await db.user.findUnique({ where: { id: input.userId } });
    })
});
```

Learn more: https://shoulder.dev/learn/typescript/cwe-20/missing-input-validation

## Documentation

[object Object]

## Related Rules

- **FastAPI Missing Request Validation** [MEDIUM]: 
- **Business Logic Input Validation** [MEDIUM]: 
- **Echo Missing Input Validation** [MEDIUM]: 
- **Fiber Missing Input Validation** [MEDIUM]: 
- **Gin Missing Input Validation** [MEDIUM]: