fix(security): add @Valid constraints on AddItemRequest to prevent oversized input

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-06 19:49:06 +02:00
parent 40a6a0e92d
commit 9d210befa1
3 changed files with 18 additions and 3 deletions
--- a/backend/src/main/java/com/recipeapp/shopping/ShoppingListController.java
+++ b/backend/src/main/java/com/recipeapp/shopping/ShoppingListController.java
@@ -4,6 +4,7 @@ import com.recipeapp.common.RequiresHouseholdRole;
 import com.recipeapp.common.ResourceNotFoundException;
 import com.recipeapp.recipe.HouseholdResolver;
 import com.recipeapp.shopping.dto.*;
+import jakarta.validation.Valid;
 import org.springframework.http.HttpStatus;
 import org.springframework.web.bind.annotation.*;

@@ -61,7 +62,7 @@ public class ShoppingListController {
    @PostMapping("/v1/shopping-lists/{id}/items")
    @ResponseStatus(HttpStatus.CREATED)
    public ShoppingListItemResponse addItem(@PathVariable UUID id,
-                                            @RequestBody AddItemRequest request,
+                                            @Valid @RequestBody AddItemRequest request,
                                            Principal principal) {
        UUID householdId = householdResolver.resolve(principal.getName());
        return shoppingService.addItem(householdId, id, request);
--- a/backend/src/main/java/com/recipeapp/shopping/dto/AddItemRequest.java
+++ b/backend/src/main/java/com/recipeapp/shopping/dto/AddItemRequest.java
@@ -1,11 +1,15 @@
 package com.recipeapp.shopping.dto;

+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Positive;
+import jakarta.validation.constraints.Size;
+
 import java.math.BigDecimal;
 import java.util.UUID;

 public record AddItemRequest(
        UUID ingredientId,
-        String customName,
-        BigDecimal quantity,
+        @NotBlank @Size(max = 255) String customName,
+        @Positive BigDecimal quantity,
        String unit
 ) {}
--- a/backend/src/test/java/com/recipeapp/shopping/ShoppingListControllerTest.java
+++ b/backend/src/test/java/com/recipeapp/shopping/ShoppingListControllerTest.java
@@ -159,4 +159,14 @@ class ShoppingListControllerTest {
                        .principal(() -> "sarah@example.com"))
                .andExpect(status().isNoContent());
    }
+
+    @Test
+    void addItemShouldReturn400WhenCustomNameIsBlank() throws Exception {
+        mockMvc.perform(post("/v1/shopping-lists/{id}/items", LIST_ID)
+                        .principal(() -> "sarah@example.com")
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content(objectMapper.writeValueAsString(
+                                new AddItemRequest(null, "  ", new BigDecimal("1"), ""))))
+                .andExpect(status().isBadRequest());
+    }
 }