audit: Input validation and sanitization

[Snider]

Security Audit: Input Validation

Audit all input handling for proper validation and sanitization.

Check For

1. User Input - Forms, query params, headers, cookies
2. File Uploads - Type validation, size limits, path traversal
3. API Inputs - JSON/XML parsing, schema validation
4. Database Queries - Parameterized queries, ORM usage
5. Command Execution - Shell injection, argument escaping
6. Path Handling - Directory traversal, symlink attacks
7. URL Handling - Open redirects, SSRF
8. Regex - ReDoS vulnerabilities
9. Numeric Inputs - Integer overflow, type coercion
10. Encoding - UTF-8 validation, null bytes

Questions to Answer

• Where does untrusted input enter the system?
• Is input validated before use?
• Is validation allowlist or denylist based?
• Are error messages leaking information?
• Is there consistent validation across all entry points?

Output

Save to AUDIT-INPUT-VALIDATION.md

Include:

• Input entry points inventory
• Validation gaps found
• Injection vectors discovered
• Remediation recommendations with code examples

[google-labs-jules]

Jules is on it. When finished, you will see another comment and be able to review a PR.

[google-labs-jules]

Ready for a review! A PR has been created.