Actions
Bug #61
closedImproper Input Validation in Client Creation API (/api/clients/add) (WEB/API)
Status:
Closed
Priority:
High
Assignee:
-
Description
The /api/clients/add endpoint does not enforce proper server-side validation. Inputs with invalid formats and excessively large lengths are accepted and processed successfully.
Request:
POST `https://api.akinderwellness.com:4001/api/clients/add`
Content-Type: multipart/form-data
first_name = extremely long string (hundreds of characters)
email = invalid format + excessively long string
password = very large string
phone = non-numeric + excessively long string
address = excessively long string
address2 = excessively long string
city = excessively long string
state = invalid value (not from predefined list)
zip = non-numeric invalid format
Response:
{
"success": true,
"message": "Client added successfully with encrypted data storage"
}
Validation Issues Observed
- Email validation missing
- Invalid and overly long email values are accepted
- Phone validation missing
- Non-numeric and long values are accepted
- ZIP/PIN validation missing
- Incorrect format values are accepted
- State field not restricted
- Values outside predefined options are accepted
- No input length restrictions
- Extremely large values are accepted across multiple fields:
first_name
password
phone
address, address2
city
state
Updated by Adhi Narayanan 18 days ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
Actions