Form Validation

20 tests verify field validation, type checking, format validation, and length constraints.

Configuration

Form validation rules are defined per endpoint in policy.yaml:

# policy.yaml
paths:
  - pattern: "/contact"
    methods: ["POST"]
    form:
      forbid_extra_fields: true
      fields:
        - name: "email"
          type: "email"
          required: true
          max_length: 255

        - name: "name"
          type: "string"
          required: true
          min_length: 2
          max_length: 100

        - name: "phone"
          type: "string"
          pattern: "^\\+?[0-9]{10,15}$"

        - name: "message"
          type: "string"
          required: true
          max_length: 5000

FORM-001PASS

Valid form submission

Sample Request

curl -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "email=user@example.com&name=John+Doe&message=Hello" \
  http://localhost:8080/contact

Expected Response

HTTP/1.1 200 OK
Content-Type: application/json

{"success": true, "message": "Form submitted successfully"}

All required fields are present and pass validation. The request is forwarded to the backend.

FORM-002BLOCKED

Invalid email format

Sample Request

curl -X POST -d "email=not-an-email&name=John&message=Hello" http://localhost:8080/contact

Expected Response

HTTP/1.1 400 Bad Request
Content-Type: application/json

{"error": "Validation failed", "field": "email", "message": "Invalid email format"}

Email fields are validated against RFC 5322 format. Invalid formats are rejected before reaching the backend.

FORM-003BLOCKED

Required field missing

Sample Request

curl -X POST -d "email=user@example.com&name=John" http://localhost:8080/contact

Expected Response

HTTP/1.1 400 Bad Request
Content-Type: application/json

{"error": "Validation failed", "field": "message", "message": "Required field missing"}

Required fields must be present. Missing required fields result in a 400 error.

FORM-004BLOCKED

Field exceeds max length

Sample Request

curl -X POST -d "email=user@example.com&name=$(python3 -c 'print("A"*200)')&message=Hi" http://localhost:8080/contact

Expected Response

HTTP/1.1 400 Bad Request
Content-Type: application/json

{"error": "Validation failed", "field": "name", "message": "Exceeds maximum length of 100"}

Fields exceeding the configured maximum length are rejected to prevent buffer overflow and storage attacks.

FORM-005BLOCKED

Unexpected field submitted

Sample Request

curl -X POST -d "email=user@example.com&name=John&message=Hi&admin=true" http://localhost:8080/contact

Expected Response

HTTP/1.1 400 Bad Request
Content-Type: application/json

{"error": "Unexpected field", "field": "admin"}

With forbid_extra_fields enabled, any field not defined in the policy is rejected. This prevents mass assignment vulnerabilities.

FORM-006BLOCKED

Invalid phone format

Sample Request

curl -X POST -d "email=user@example.com&name=John&message=Hi&phone=abc123" http://localhost:8080/contact

Expected Response

HTTP/1.1 400 Bad Request
Content-Type: application/json

{"error": "Validation failed", "field": "phone", "message": "Does not match required pattern"}

Fields with custom regex patterns are validated. Values not matching the pattern are rejected.