Description
The @NotBlank validation constraints on UserController.AddUserRequest fields are not being enforced. Requests with blank/empty values for email, firstName, lastName, and password are accepted instead of being rejected with HTTP 400 Bad Request.
Current Behavior
The following requests are accepted (HTTP 201 Created) when they should be rejected:
{
"email": "",
"firstName": "John",
"lastName": "Doe",
"tenantId": 1,
"password": "test123",
"roles": [1]
}Similar behavior for blank firstName, lastName, and password fields.
Expected Behavior
Requests with blank values should return HTTP 400 Bad Request with validation error messages.
Affected Component
// UserController.java
@Serdeable
public record AddUserRequest(
@NotBlank String email, // Not enforced
@NotBlank String firstName, // Not enforced
@NotBlank String lastName, // Not enforced
@NotNull Long tenantId,
@NotBlank String password, // Not enforced
@NotEmpty List<Long> roles) // @NotEmpty also not enforcedSecurity Implications
- Users can be created with empty passwords (password stored as empty BCrypt hash)
- Users can be created with empty email addresses
- Data integrity issues with blank names
Root Cause Investigation
Possible causes:
- Missing
@Validated annotation on the controller or method
- Missing
@Valid annotation on the @Body parameter
- Micronaut validation not properly configured
Suggested Fix
Add @Valid annotation to the request body parameter:
@Post
public HttpResponse<UserResponse> createUser(@Body @Valid AddUserRequest requestDTO,
Authentication authentication) {Or ensure the controller has validation enabled:
@Validated
@Controller("/api/users")
public class UserController {Related Tests
Disabled tests documenting this behavior:
UserControllerValidationTest.createUser_failsWithBlankEmail()UserControllerValidationTest.createUser_failsWithBlankFirstName()UserControllerValidationTest.createUser_failsWithBlankLastName()UserControllerValidationTest.createUser_failsWithBlankPassword()UserControllerValidationTest.createUser_failsWithEmptyRoles()
Description
The
@NotBlankvalidation constraints onUserController.AddUserRequestfields are not being enforced. Requests with blank/empty values for email, firstName, lastName, and password are accepted instead of being rejected with HTTP 400 Bad Request.Current Behavior
The following requests are accepted (HTTP 201 Created) when they should be rejected:
{ "email": "", "firstName": "John", "lastName": "Doe", "tenantId": 1, "password": "test123", "roles": [1] }Similar behavior for blank
firstName,lastName, andpasswordfields.Expected Behavior
Requests with blank values should return HTTP 400 Bad Request with validation error messages.
Affected Component
Security Implications
Root Cause Investigation
Possible causes:
@Validatedannotation on the controller or method@Validannotation on the@BodyparameterSuggested Fix
Add
@Validannotation to the request body parameter:Or ensure the controller has validation enabled:
Related Tests
Disabled tests documenting this behavior:
UserControllerValidationTest.createUser_failsWithBlankEmail()UserControllerValidationTest.createUser_failsWithBlankFirstName()UserControllerValidationTest.createUser_failsWithBlankLastName()UserControllerValidationTest.createUser_failsWithBlankPassword()UserControllerValidationTest.createUser_failsWithEmptyRoles()