Input sanitization

[gormless87]

Describe the task Implement explicit sanitization of input received from the Web Browser

Acceptance Criteria

• [x] input mask in place for all POST endpoints -backend only
• [x] return notification if validation fails

Additional context

• The Server-Side API source code does not appear to implement explicit sanitization of input received from the Web Browser. Without the sanitization and validation of input, there is a vulnerability to injection and overflow attacks, which can allow for the upload execution of arbitrary code, such as bypassing the Application's business logic or modifying data outside of the business rules. The FastAPI and SQLAlchemy libraries do offer some protection. Likelihood and Impact Notes This type of vulnerability is commonly exploited. The absence of a WAF or Firewall aggravates the likelihood.
  This issue can lead to the injection of HTML code, SQL scripts, or cause buffer overflows, resulting in the upload and execution of malicious code. Considering the co-habitation of high and low privilege processes in the same deployment unit and in the same subnet without encrypted connections in the backend, lateral movement may be more impactful. Note: In the last 21 releases of the AWS Lambda service, 18 had a Command Injection vulnerability which allowed an AWS Lambda deployed Application to access the underlying operating system of the Cloud Server. (https://security.snyk.io/package/npm/aws-lambda)

[DerekRoberts]

FastAPI has baked-in sanitization. Verify this is being taken advantage of. https://fastapi.tiangolo.com/tutorial/query-params-str-validations/

[ianliuwk1019]

This is only for developer: While verifying the change for input restriction addition, found FastAPI is having one known bug that change the expecting error behavior from client side error (422) to server side error (500). This is not good and a major bug from framework we do not want otherwise our frontend will not handle it to user properly. Added comment in code. Private Zenhub Image