fix: strict input validation on POST /api/goals#469
Open
advikdivekar wants to merge 4 commits into
Open
Conversation
- Wrap req.json() in try/catch — returns 400 on malformed JSON - Validate body is a non-null object before destructuring - title: must be non-empty string, trimmed, max 100 characters - target: must be integer in [1, 10000] — blocks 0, negatives, floats, NaN, overflow - unit: clamped to 30 chars silently - recurrence: unknown values default to 'none' explicitly - All bounds defined as named constants Fixes division-by-zero (target:0 → Infinity% progress bar) and negative target making 0-progress goals show as 100% complete. Closes Priyanshu-byte-coder#454
|
@advikdivekar is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel. A member of the Team first needs to authorize it. |
github-actions
Bot
added
gssoc26
GSSoC Label Checklist 🏷️@Priyanshu-byte-coder — please apply the appropriate labels before merging: Difficulty (pick one):
Quality (optional):
Validation (required to score):
|
4 tasks
Priyanshu-byte-coder
requested changes
May 21, 2026
Owner
Priyanshu-byte-coder
left a comment
Priyanshu-byte-coder
left a comment
There was a problem hiding this comment.
Merge conflict — rebase on main to resolve. The logic and implementation are correct; once conflict is cleared this can merge immediately.
Priyanshu-byte-coder
added
level:intermediate
Contributor
Author
|
@Priyanshu-byte-coder resolved the merge conflicts |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
POST /api/goalsaccepted arbitrary values with no bounds checking:target: 0→ division by zero in the frontend progress bar (0 / 0 * 100 = Infinity%)target: -1→ a goal withcurrent: 0displayed as 100% completetarget: 0.5,NaN,999999999→ silently storedtitlehad no length cap — a multi-MB string would be persisted and break layoutFix
src/app/api/goals/route.tsreq.json()wrapped in try/catch → returns400 Invalid JSONon parse failuretitle: must be a non-empty string, trimmed, ≤ 100 characterstarget: must be an integer in[1, 10_000]— rejects0, negatives, floats,NaN, and overflow valuesunit: clamped to 30 characters silentlyrecurrence: unknown values default to"none"explicitlyTest plan
POST /api/goalswithtarget: 0returns400POST /api/goalswithtarget: -5returns400POST /api/goalswithtarget: 0.5returns400POST /api/goalswithtarget: 999999999returns400POST /api/goalswith a 101-character title returns400POST /api/goalswith a whitespace-only title returns400POST /api/goalswith malformed JSON returns400Closes #454