保護DataHogo
Security Encyclopedia/Vibecoding Patterns
mediumCWE-20A03:2021

No Input Validation

User-supplied data sent directly to databases or external APIs without any type, format, or content validation.

How It Works

When you pass req.body straight to a database query or API call, an attacker controls the shape and content of that data. This enables SQL injection, NoSQL injection, type confusion bugs, and unexpected behavior. AI-generated code is especially prone to this — it often skips validation for brevity.

Vulnerable Code
// BAD: raw body straight to the database
export async function POST(req: Request) {
  const body = await req.json();
  const user = await db.users.create({ data: body });
  return Response.json(user);
}
Secure Code
// GOOD: validate with Zod before touching the DB
const schema = z.object({
  name: z.string().min(1).max(100),
  email: z.string().email(),
});
export async function POST(req: Request) {
  const body = schema.parse(await req.json());
  const user = await db.users.create({ data: body });
  return Response.json(user);
}

Real-World Example

A common vibecoder mistake: AI generates an API route that destructures req.body and passes it to Prisma's create(). If the users table has a role field, an attacker can set role: 'admin' and escalate privileges instantly.

How to Prevent It

  • Use Zod, Joi, or Yup to validate every API request body and query param
  • Whitelist allowed fields explicitly — never pass the entire request body to an ORM
  • Validate types, lengths, formats, and ranges — not just presence
  • Return 400 with a clear error message on validation failure, not 500

Affected Technologies

nodejsNext.jsPythonGoPHP

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Hardcoded API Keys

critical

API keys, tokens, or secrets written directly in source code, making them visible to anyone with repo access — including public GitHub repositories.

CWE-798A02:2021

Passwords Stored in Plaintext

critical

User passwords stored as raw strings in the database instead of being hashed with a proper algorithm like bcrypt or Argon2.

CWE-256A02:2021

JWT Without Expiration

high

JWTs signed without an `exp` claim that never expire, meaning a stolen token grants permanent access with no way to revoke it.

CWE-613A07:2021

Auth Logic in Frontend Only

high

Showing or hiding UI elements based on user role in React, without any server-side enforcement — easily bypassed by anyone who opens DevTools.

CWE-602A01:2021