marcel/mealprep
1
0
Fork 0
Code Issues 22 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): add @Valid constraints on AddItemRequest to prevent oversized input

Browse Source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel Raddatz
2026-04-06 19:49:06 +02:00
parent 40a6a0e92d
commit 9d210befa1
3 changed files with 18 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
backend/src/main/java/com/recipeapp/shopping/ShoppingListController.java
View File

@@ -4,6 +4,7 @@ import com.recipeapp.common.RequiresHouseholdRole;
import com.recipeapp.common.ResourceNotFoundException; import com.recipeapp.common.ResourceNotFoundException;
import com.recipeapp.recipe.HouseholdResolver; import com.recipeapp.recipe.HouseholdResolver;
import com.recipeapp.shopping.dto.*; import com.recipeapp.shopping.dto.*;
import jakarta.validation.Valid;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.*; import org.springframework.web.bind.annotation.*;
@@ -61,7 +62,7 @@ public class ShoppingListController {
@PostMapping("/v1/shopping-lists/{id}/items") @PostMapping("/v1/shopping-lists/{id}/items")
@ResponseStatus(HttpStatus.CREATED) @ResponseStatus(HttpStatus.CREATED)
public ShoppingListItemResponse addItem(@PathVariable UUID id, public ShoppingListItemResponse addItem(@PathVariable UUID id,
@RequestBody AddItemRequest request, @Valid @RequestBody AddItemRequest request,
Principal principal) { Principal principal) {
UUID householdId = householdResolver.resolve(principal.getName()); UUID householdId = householdResolver.resolve(principal.getName());
return shoppingService.addItem(householdId, id, request); return shoppingService.addItem(householdId, id, request);

8
backend/src/main/java/com/recipeapp/shopping/dto/AddItemRequest.java
View File

@@ -1,11 +1,15 @@
package com.recipeapp.shopping.dto; package com.recipeapp.shopping.dto;
import jakarta.validation.constraints.NotBlank;
import jakarta.validation.constraints.Positive;
import jakarta.validation.constraints.Size;
import java.math.BigDecimal; import java.math.BigDecimal;
import java.util.UUID; import java.util.UUID;
public record AddItemRequest( public record AddItemRequest(
UUID ingredientId, UUID ingredientId,
String customName, @NotBlank @Size(max = 255) String customName,
BigDecimal quantity, @Positive BigDecimal quantity,
String unit String unit
) {} ) {}

10
backend/src/test/java/com/recipeapp/shopping/ShoppingListControllerTest.java
View File

@@ -159,4 +159,14 @@ class ShoppingListControllerTest {
.principal(() -> "sarah@example.com")) .principal(() -> "sarah@example.com"))
.andExpect(status().isNoContent()); .andExpect(status().isNoContent());
} }
@Test
void addItemShouldReturn400WhenCustomNameIsBlank() throws Exception {
mockMvc.perform(post("/v1/shopping-lists/{id}/items", LIST_ID)
.principal(() -> "sarah@example.com")
.contentType(MediaType.APPLICATION_JSON)
.content(objectMapper.writeValueAsString(
new AddItemRequest(null, " ", new BigDecimal("1"), ""))))
.andExpect(status().isBadRequest());
}
} }