Skip to content
unfault

go.echo.request_validation

Correctness Medium

Detects Echo handlers without request validation.

Why It Matters

Section titled “Why It Matters”

Missing validation:

  • Invalid data accepted — Bad input reaches business logic
  • Security vulnerabilities — Unvalidated input exploitable
  • Runtime errors — Type mismatches cause panics

Example

Section titled “Example”
// ❌ Before (no validation)
func CreateUser(c echo.Context) error {
    var req UserRequest
    c.Bind(&req) // No validation!
    return createUser(req)
}
// ✅ After (with validation)
func CreateUser(c echo.Context) error {
    var req UserRequest
    if err := c.Bind(&req); err != nil {
        return echo.NewHTTPError(http.StatusBadRequest, err.Error())
    }
    if err := c.Validate(&req); err != nil {
        return echo.NewHTTPError(http.StatusBadRequest, err.Error())
    }
    return createUser(req)
}

What Unfault Detects

Section titled “What Unfault Detects”
  • Bind() without Validate()
  • Missing validation on request body
  • No error handling on bind
Section titled “Related Rules”