Improper Input Validation
The application accepts input without validating shape, length, range, or type — and that input later violates an assumption.
GateTest coverage
Caught by: security, ssrf, crossFileTaint
Example
Accepting any string as a URL and fetching it without checking the host.
How to fix it
Validate at the boundary. Use schema libraries (zod, joi, ajv, pydantic) at every external input. Allowlist over blocklist. GateTest's ssrf and crossFileTaint modules flag the common skip-validation patterns.
Scan your repo for CWE-20
Free preview of findings. Pay per scan — no subscription. AI auto-fix PR included on the Scan + Fix tier.
Frequently asked questions
What is CWE-20 (Improper Input Validation)?
The application accepts input without validating shape, length, range, or type — and that input later violates an assumption.
How do I fix improper input validation?
Validate at the boundary. Use schema libraries (zod, joi, ajv, pydantic) at every external input. Allowlist over blocklist. GateTest's ssrf and crossFileTaint modules flag the common skip-validation patterns.
Does GateTest detect improper input validation?
Yes — GateTest's security, ssrf, crossFileTaint modules catch this class. Findings appear in the standard scan output with file and line numbers. On Scan + Fix and Forensic Scan tiers, Claude opens a pull request with the fix.
What rank is Improper Input Validation in the CWE Top 25?
Improper Input Validation is ranked #6 in the MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses list. The ranking reflects both prevalence (how often it appears in real CVEs) and severity (the typical impact when it's exploited).