Skip to content

fix(tasks): add input validation to createTask to prevent oversized data [NSoC'26]#145

Open
anshul23102 wants to merge 1 commit into
Shriii19:masterfrom
anshul23102:fix/140-task-length-validation
Open

fix(tasks): add input validation to createTask to prevent oversized data [NSoC'26]#145
anshul23102 wants to merge 1 commit into
Shriii19:masterfrom
anshul23102:fix/140-task-length-validation

Conversation

@anshul23102
Copy link
Copy Markdown

@anshul23102 anshul23102 commented May 31, 2026

Description

createTask accepted title and description from the request body and inserted them directly into Supabase with no validation. An authenticated user could create tasks with empty titles, megabyte-length descriptions, or control characters in any field, corrupting data visible to all team members and degrading performance.

Related Issue

Closes #140

Type of Change

  • Bug fix

Root Cause

The function destructured { title, description, status, position } from req.body and passed them directly to supabase.from("tasks").insert(...) without checking the type, emptiness, or length of any field.

Changes Made

File Change
backend/controllers/tasks.controller.js title must be a non-empty string; returns 400 if missing or empty
backend/controllers/tasks.controller.js title must not exceed 200 characters; returns 400 if too long
backend/controllers/tasks.controller.js description, if provided, must be a string and must not exceed 5000 characters

All checks run before the Supabase insert call.

Screenshots or Demo

Not applicable (backend-only change).

Testing Done

  • POST /api/tasks with no title returns 400 Task title is required.
  • POST /api/tasks with title: "" returns 400 Task title is required.
  • POST /api/tasks with title: "a".repeat(201) returns 400 Task title must not exceed 200 characters.
  • POST /api/tasks with valid title and no description creates the task normally.
  • POST /api/tasks with description: "a".repeat(5001) returns 400 Task description must not exceed 5000 characters.

Checklist

  • I have read the CONTRIBUTING.md and followed its guidelines
  • My code follows the style and formatting of this project
  • I have tested my changes locally and they work as expected
  • No unnecessary files modified outside the scope of this issue
  • There are no merge conflicts with the base branch
  • This PR is linked to the correct issue
  • I have not used any AI-generated content in this PR

NSoC Label Request

@Shriii19 could you please add the appropriate NSoC '26 label to this PR? Thank you!

@anshul23102
fix(tasks): add length validation to createTask before database inser…
9826725 
…tion [NSoC'26]

createTask accepted title and description from the request body and
inserted them directly into Supabase with no validation. An authenticated
user could create tasks with empty titles, 1 MB descriptions, or titles
containing control characters, corrupting data visible to all team members
and inflating API response sizes.

Added validation:
- title must be a non-empty string of at most 200 characters (required)
- description, if provided, must be a string of at most 5000 characters

Both checks return 400 with a descriptive message before any Supabase
call is made.

Closes Shriii19#140
@vercel
Copy link
Copy Markdown

vercel Bot commented May 31, 2026

@anshul23102 is attempting to deploy a commit to the shreemp194-gmailcom's projects Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 31, 2026

👋 Thank you for opening this pull request! I will review your changes and assist you soon.

@anshul23102 anshul23102 mentioned this pull request May 31, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

1 participant

@anshul23102