Skip to content

fix: input validation across all API routes — Issue #359#374

Merged
OneStepAt4time merged 6 commits intomainfrom
fix/input-validation-359
Mar 27, 2026
Merged

fix: input validation across all API routes — Issue #359#374
OneStepAt4time merged 6 commits intomainfrom
fix/input-validation-359

Conversation

@OneStepAt4time
Copy link
Copy Markdown
Owner

@OneStepAt4time OneStepAt4time commented Mar 27, 2026

Fixes #359

Changes (8 files, +452/-84 lines, 6 commits)

Zod Validation

  • Defined validation schemas for all 9 POST routes (auth/keys, sessions/send, command, bash, screenshot, hooks/permission, hooks/stop, batch, pipelines)
  • Consistent safeParse with { error, details } error format
  • Batch sessions capped at 50

Security Hardening

  • WebSocket cols/rows clamped to [1, 1000]
  • MCP server: UUID format validation, exact+prefix workDir matching
  • Config: isNaN/isFinite guards on all parseInt env vars
  • CLI: port validation with parseIntSafe

Tests

  • 1028 tests passing (+53 new validation tests)

All 1028 tests passing, type-check clean, build clean.

@OneStepAt4time
feat: add Zod validation schemas for API routes — Issue #359
7a2ab85 
Generated by Hephaestus (Aegis dev agent)
@OneStepAt4time
fix: add Zod safeParse validation to all API routes — Issue #359
004ebb5 
Replace manual request body validation with Zod safeParse schemas from
src/validation.ts across all POST routes in server.ts. Also use
parseIntSafe for zombie reaper env var parsing.

Generated by Hephaestus (Aegis dev agent)
@OneStepAt4time
fix: clamp WebSocket viewport dimensions to 1-1000 — Issue #359
ffd5fa8 
Generated by Hephaestus (Aegis dev agent)
@OneStepAt4time
fix: validate UUID format for session IDs and use exact workDir match…
4e22b18 
…ing — Issue #359

Generated by Hephaestus (Aegis dev agent)
@OneStepAt4time
fix: add NaN/isFinite guards on config env var parsing — Issue #359
9413006 
Replace raw parseInt(value, 10) with parseIntSafe() in applyEnvOverrides
so that invalid or non-finite env var values fall back to the current
config value instead of producing NaN.

Generated by Hephaestus (Aegis dev agent)
@OneStepAt4time
fix: validate port numbers in CLI with parseIntSafe — Issue #359
4246d0d 
Generated by Hephaestus (Aegis dev agent)
@OneStepAt4time OneStepAt4time merged commit 3fdf986 into main Mar 27, 2026
3 checks passed
@OneStepAt4time OneStepAt4time deleted the fix/input-validation-359 branch March 29, 2026 02:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Reliability: Missing input validation across API routes

1 participant

@OneStepAt4time