Project

General

Profile

Actions
Copy link

Bug #63

closed

Improper Input Validation in /api/admin/add-role Allows Excessively Long Role Names (API-WEB)

Added by Vivek Kumar 21 days ago. Updated 18 days ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Start date:
03/31/2026
Due date:
% Done:

100%

Estimated time:
Spent time:
1:54 h

Description

The /api/admin/add-role endpoint does not enforce proper input length validation on the name field.
An attacker (or authenticated admin user) can submit extremely long strings (well beyond expected limits such as 50 characters), and the server accepts and processes the request successfully.
This indicates Lack of server-side validation

Steps to Reproduce

  1. Send a POST request to: https://api.akinderwellness.com:4001/api/admin/add-role
  2. Use a valid admin authorization token
  3. Provide an excessively long string in name field:
{
  "name": "NEW ROLE WITH MORE THAN FIFTY CHARACTERS LETS CHECK ITNEW ROLE WITH MORE THAN FIFTY CHARACTERS LETS CHECK ITNEW ROLE WITH MORE THAN FIFTY CHARACTERS LETS CHECK IT..."
}
  1. Observe the response

Actual Result
Server accepts the request
Role is created successfully with oversized name

Expected Result
Server should reject input exceeding allowed length (e.g., 50 chars)
Return validation error like:

{
  "error": "Role name must not exceed 50 characters"
}
Actions
Copy link
 #1

Updated by Adhi Narayanan 19 days ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100
Actions
Copy link
 #2

Updated by Vivek Kumar 18 days ago

  • Status changed from Resolved to Closed

{"success":false,"message":"Role name must be a valid string"}

Actions
Copy link

Also available in: Atom PDF