Add comprehensive input validation to POST /api/v1/gods endpoint

[Copilot]

POST /api/v1/gods only validated non-empty Name. Missing validation for field lengths, ID ranges, Description nullability, and batch size limits, risking data integrity issues and potential resource exhaustion.

Changes

Validation Implementation

• Added internal constants: MAX_NAME_LENGTH=100, MAX_DESCRIPTION_LENGTH=1000, MAX_BATCH_SIZE=100
• Validates all input constraints before repository call:
  • Non-null/empty list with batch size ≤ 100
  • Name: non-empty, length ≤ 100 chars
  • Description: non-null, length ≤ 1000 chars
  • MythologyId and Id (when present): positive integers
• Returns BadRequest with field index and specific error message

// Example validation pattern
if (god.Name.Length > MAX_NAME_LENGTH)
{
    return Results.BadRequest(new { error = $"God at index {i}: Name must not exceed {MAX_NAME_LENGTH} characters." });
}

API Design Note

• XML documentation clarifies this API does not sanitize HTML/script content
• Follows REST API principle: clients handle presentation-layer XSS prevention

Tests

• 11 unit tests: validation logic with mocked repository
• 11 integration tests: HTTP status codes end-to-end
• Tests reference constants (not magic numbers) for maintainability

Minor Fixes

• Fixed typo: GetAlllGods → GetAllGods
• Made validation constants internal for test access

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[MEDIUM] Incomplete input validation on POST /api/v1/gods endpoint</issue_title>
<issue_description>## Summary

The AddOrUpdateGods endpoint only validates that each god has a non-empty Name. Other fields like Description, MythologyId, and alias data are not validated for length, type range, or malicious content, risking stored XSS and data integrity issues.

Description

In src/Endpoints/v1/Gods.cs (lines 69–82), the AddOrUpdateGods method performs the following validations:

• Checks that the input list is not null or empty.
• Checks that batch size does not exceed MAX_BATCH_SIZE (100).
• Checks that each god has a non-empty Name.

However, the following validations are missing:

• Name length — no maximum length check (unlike SearchGodsByName which enforces MAX_NAME_LENGTH).
• Description — no length limit, no sanitization. Malicious HTML/script payloads can be stored and served to API consumers (stored XSS).
• MythologyId — no range validation (e.g., negative values or non-existent IDs).
• Id — when provided for updates, no validation that it is a positive integer.

The security prompt states: "Sanitize all user inputs to prevent injection attacks."

Implementation

1. Add Name length validation using the existing MAX_NAME_LENGTH constant:

   if (god.Name.Length > MAX_NAME_LENGTH)
       return Results.BadRequest($"God name must not exceed {MAX_NAME_LENGTH} characters.");

2. Add a MAX_DESCRIPTION_LENGTH constant and validate Description length.
3. Validate MythologyId is a positive integer when provided.
4. Validate Id is a positive integer when provided for updates.
5. Consider adding an HTML/script sanitization step for string fields.
6. Add unit tests for each validation case.

References

• src/Endpoints/v1/Gods.cs, lines 69–82 — AddOrUpdateGods method
• src/Gods/Models/God.cs — GodInput model definition
• OWASP Input Validation Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [MEDIUM] Incomplete input validation on POST /api/v1/gods endpoint #15

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.