63 lines
2.2 KiB
Markdown
63 lines
2.2 KiB
Markdown
# 03. Input Validation & XSS Prevention Audit
|
|
|
|
meta:
|
|
id: web-production-03
|
|
feature: web-production
|
|
priority: P1
|
|
depends_on: []
|
|
tags: [security, validation, production]
|
|
|
|
objective:
|
|
- Audit and harden all input validation to prevent XSS, injection attacks, and malformed data
|
|
|
|
deliverables:
|
|
- XSS prevention audit report
|
|
- Input sanitization layer
|
|
- HTML escaping on all user-generated content
|
|
- SQL injection protection verification
|
|
|
|
steps:
|
|
1. Audit all tRPC routers for input validation gaps:
|
|
- Check web/src/server/api/routers/*.ts for missing valibot schemas
|
|
- Ensure all user inputs have strict type validation
|
|
- Add maxLength constraints to all string inputs
|
|
2. Implement output escaping for user-generated content:
|
|
- Blog posts, user names, alert messages
|
|
- Use DOMPurify or similar on client-side rendering
|
|
- Escape HTML entities server-side before DB storage
|
|
3. Audit database queries for SQL injection:
|
|
- Verify all queries use Drizzle parameterized queries
|
|
- Check raw SQL usage in jobs and services
|
|
- Ensure no string concatenation in SQL
|
|
4. Add content validation for file uploads (if any):
|
|
- MIME type verification
|
|
- File size limits
|
|
- Scan for malware
|
|
5. Implement request body size limits:
|
|
- 1MB max for JSON payloads
|
|
- 10MB max for file uploads
|
|
6. Add tests for malformed input handling
|
|
|
|
tests:
|
|
- Unit: Test each router with XSS payloads, SQL injection attempts
|
|
- Integration: Submit malicious inputs via API, verify safe handling
|
|
- Security: Run OWASP ZAP or Burp Suite against app
|
|
|
|
acceptance_criteria:
|
|
- All tRPC inputs have strict valibot validation with bounds
|
|
- User-generated content escaped before rendering
|
|
- No SQL injection vectors in any query
|
|
- XSS payloads rendered as plain text, not executed
|
|
- Request body size limits enforced
|
|
- OWASP ZAP scan shows no high/critical vulnerabilities
|
|
|
|
validation:
|
|
- Submit `<script>alert('xss')</script>` in all text fields → rendered safely
|
|
- Submit SQL injection in search fields → no database errors
|
|
- Run `npm audit` and address all high severity issues
|
|
|
|
notes:
|
|
- Valibot schemas already in use — expand them with stricter bounds
|
|
- Consider using zod for more complex validation if valibot is limiting
|
|
- Sanitize inputs at API boundary, not just client-side
|