Actions
Bug #80
closedInsufficient Input Validation in /api/schools/add Allows Invalid and Malformed Data Submission (Web-api)
Status:
Closed
Priority:
Normal
Assignee:
-
Start date:
04/11/2026
Due date:
% Done:
100%
Estimated time:
(Total: 0:00 h)
Spent time:
1:00 h (Total: 1:27 h)
Description
The API partially validates input data in the school creation endpoint but fails to enforce proper validation on multiple fields beyond zip. While numeric validation is applied to the zip field, other fields accept invalid, malformed, or meaningless data such as special character-only values, incorrect formats, and inconsistent enum values.
Steps to Reproduce
- Send a POST request to
/api/schools/add - Provide invalid or malformed values in multiple fields (except zip, which is validated)
- Example request:
{
"name": "................",
"address": "............",
"city": ".......",
"state": "......",
"zip": "90812",
"AdditionalInfo": ".........",
"contactPerson": ".........",
"contactNumber": ".......",
"website": ".....",
"status": "Activa",
"classes": [
{
"className": "..........",
"sections": []
}
]
}
- Observe that the API accepts the request successfully
Actual Result
The API enforces validation only on the zip field, while other fields lack proper validation. Below are the identified issues:
- name:
Accepts special character-only values (e.g., "................") - address:
Accepts meaningless and special character-only values - city:
Accepts invalid non-alphabetic values - state:
Accepts invalid non-alphabetic values - AdditionalInfo:
Accepts arbitrary meaningless input (e.g ..........) - contactPerson:
Accepts invalid values (e.g., ".........") - contactNumber:
Accepts invalid formats or special symbols - website:
Accepts invalid/non-URL values (e.g., ".....") - status:
Accepts invalid enum values (e.g., "Activa" instead of expected "Active") - classes.className:
Accepts meaningless special character-only values
Expected Result
The API must enforce strict validation across all fields:
Actions