missing-input-validation

Any data from outside the process — HTTP request bodies, CLI args, file contents, third-party API responses, user messages — should be treated as untrusted until proven otherwise. Code that uses it directly opens injection, crash, and security paths.

Symptoms

• HTTP handler uses request.body.x with no type check.
• CLI flag value passed straight into exec, SQL, or a file path.
• Third-party API response fields accessed without confirming they exist.
• Numeric input used in array indexing or arithmetic with no bounds check.
• String input concatenated into SQL, shell commands, or file paths.

What to do

• At every trust boundary, validate type, shape, and range before using the value. Reject early with a clear error message.
• For structured payloads, use a schema validator (Zod, Pydantic, ArkType, etc.) — don't hand-write "if field exists".
• For values used in SQL, shell, or file paths, use parameterized queries, execFile with an argv array, or explicit path joins — never string concatenation.
• When an invariant is checked, include the unexpected value in the error so debugging is possible.
• Third-party responses are not trustworthy. Validate them the same way you'd validate user input.