SiteShadow
Back to vulnerability library
Detected bySecure-coding-practice checks (SCP)Pro

SCP01 Input Validation

What this means

SiteShadow flagged missing or insufficient input validation. "Input" includes request bodies, query params, headers, files, webhooks, and any data coming from other systems.

Why it matters

Bad input handling is a root cause for many vulnerabilities.

Safer examples

1) Validate request payloads with a schema (TypeScript)

import { z } from "zod";

const CreateUser = z.object({
  email: z.string().email(),
  displayName: z.string().min(1).max(64),
});

const data = CreateUser.parse(req.body);

2) Validate IDs with allowlists (Python)

import re

if not re.fullmatch(r"[a-zA-Z0-9_-]{1,64}", user_id):
    raise ValueError("Invalid user_id")

3) Enforce size limits early

Reject oversized requests/uploads before parsing (see INPUT01-02 / CWE-400).

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.