Files:
src/main/java/com/cabbooking/controller/AuthController.java (lines 31-45)src/main/java/com/cabbooking/controller/BookingController.java (lines 36-83)
Severity: High
Description
User-facing endpoints accept raw input with zero validation:
Registration (POST /auth/register)
- No email format validation
- No password strength rules (min length, complexity)
- No phone format validation
- No max length on any field
Booking Creation (POST /bookings/create)
- No validation on latitude/longitude ranges
- No length limit on location strings or special instructions
Impact
- Stored XSS: if Thymeleaf templates render these fields with
th:utext, arbitrary JS can be injected
- Database abuse: oversized strings waste storage
- Weak passwords: most common attack vector for account takeover
- Business logic bypass: invalid coordinates skew pricing and fraud detection
Fix
- Add Jakarta Validation annotations (
@Email, @Pattern, @Size, @NotNull)
- Use
@Valid in controller method signatures
- Validate coordinate ranges (-90 to 90 for lat, -180 to 180 for lon)
- Add password strength checks (min 8 chars, mixed case, digits)
Files:
src/main/java/com/cabbooking/controller/AuthController.java(lines 31-45)src/main/java/com/cabbooking/controller/BookingController.java(lines 36-83)Severity: High
Description
User-facing endpoints accept raw input with zero validation:
Registration (
POST /auth/register)Booking Creation (
POST /bookings/create)Impact
th:utext, arbitrary JS can be injectedFix
@Email,@Pattern,@Size,@NotNull)@Validin controller method signatures