This is a bounty to fix a missing input validation vulnerability in a Node.js API endpoint. The task involves creating and applying a Zod schema to validate user creation requests, preventing arbitrary data from being stored. The bounty specifically mentions that only the issue author can attempt to solve it, but encourages creating a new issue to work on it.
A starter prompt for Claude Code, what you'll need, and how to reach them.
You are an expert Node.js and security developer. The task is to fix a missing input validation vulnerability in the `SecureBananaLabs/bug-bounty` repository. Specifically, the `POST /api/users` endpoint in `apps/api/src/controllers/userController.js` lacks Zod schema validation, allowing arbitrary data to be stored. Implement robust input validation using Zod. First, fork the `SecureBananaLabs/bug-bounty` repository. Analyze the existing `registerSchema` and `createJobSchema` to understand the project's Zod usage patterns. Create a new Zod schema, `createUserSchema`, that rigorously defines the expected structure and types for user creation data (e.g., username: string().min(3), email: string().email(), password: string().min(8)). Modify the `postUser` function in `apps/api/src/controllers/userController.js` to apply `createUserSchema.parse(req.body)` before calling `createUser`. Implement appropriate error handling for Zod validation failures, returning a 400 Bad Request response with details on validation errors. Finally, write a new test case in the relevant test file (or create one if none exists for this endpoint) that attempts to send malformed data and asserts that a 400 status is returned due to validation failure. Your solution should use standard Node.js, Express, and Zod, aligning with the existing project's style. Provide only the code changes and a clear explanation of how to integrate them.
Bounty (amount on the issue). ## Bug: Missing Input Validation on User Creation **Description:** The `POST /api/users` endpoint does not validate input with Zod schema, unlike auth and job routes which use proper validation. This allows arbitrary data to be stored as user records. **File:** `apps/api/src/controllers/userController.js` **Current code:** ```js export async function postUser(req, res) { return ok(res, await createUser(req.body), 201); } ``` **Expected behavior:** A Zod validation schema should be created for user creation (similar to `registerSchema` and `createJobSchema`) and applied before passing data to the service layer. **Impact:** Medium — allows malformed or malicious data to be persisted as user records. This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information.
Standard for any GitHub-based project.
Standard for JavaScript development.
Standard for robust TypeScript/JavaScript schema validation.
Create a new issue on the SecureBananaLabs/bug-bounty repository, referencing issue #1773 and #743, stating intent to work on a solution.
“I've identified the input validation issue on the user creation endpoint (#1773) and understand issue #743's guidelines. I've already prototyped a Zod-based solution and can deliver a robust fix, including tests, very quickly. Can I submit a PR to your project?”
Open the original ↗