SCP01 Input Validation

What this means

SiteShadow flagged missing or insufficient input validation. "Input" includes request bodies, query params, headers, files, webhooks, and any data coming from other systems.

Why it matters

Bad input handling is a root cause for many vulnerabilities.

Injection (SQL, command, LDAP/XPath) when untrusted strings reach interpreters.
Authorization and logic bypass when "critical state" is client-controlled.
DoS and crashes when inputs are unexpectedly large or malformed.

Safer examples

1) Validate request payloads with a schema (TypeScript)

import { z } from "zod";

const CreateUser = z.object({
  email: z.string().email(),
  displayName: z.string().min(1).max(64),
});

const data = CreateUser.parse(req.body);

2) Validate IDs with allowlists (Python)

import re

if not re.fullmatch(r"[a-zA-Z0-9_-]{1,64}", user_id):
    raise ValueError("Invalid user_id")

3) Enforce size limits early

Reject oversized requests/uploads before parsing (see INPUT01-02 / CWE-400).

How SiteShadow detects it (high level)

Detects untrusted sources (requests/files/network) flowing into sensitive sinks (DB, filesystem, execution, templates).
Flags missing schema/allowlist/range checks near those flows.

References

OWASP Secure Coding Practices: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/

---

← Back to Vulnerability Library

Request access View coverage