Skip to content
unfault

python.fastapi.input_validation

Correctness High

Detects FastAPI endpoints without proper input validation.

Why It Matters

Section titled “Why It Matters”

Missing input validation:

  • SQL injection — Unvalidated input reaches database
  • Data corruption — Invalid data stored
  • Security vulnerabilities — Unescaped user input

Example

Section titled “Example”
# ❌ Before (no validation)
@app.post("/users")
async def create_user(data: dict):
    # Raw dict, no validation!
    return await db.insert(data)
# ✅ After (with Pydantic validation)
from pydantic import BaseModel, EmailStr, constr


class CreateUser(BaseModel):
    name: constr(min_length=1, max_length=100)
    email: EmailStr
    age: int = Field(ge=0, le=150)


@app.post("/users")
async def create_user(data: CreateUser):
    return await db.insert(data.model_dump())

What Unfault Detects

Section titled “What Unfault Detects”
  • dict type hints in endpoint parameters
  • Any type in request bodies
  • Missing Field constraints
Section titled “Related Rules”