OWASP A06:2025 – Remove destructive endpoint, enforce input constraints, fix SQL injection

[Copilot]

The API exposed an unauthenticated DELETE /api/v1/gods (delete-all) endpoint, accepted unbounded bulk inputs, had no model-level validation, and used raw SQL string interpolation in name searches — a combination of insecure-by-design flaws per OWASP A06:2025.

Endpoint changes

• Removed DELETE /api/v1/gods (unprotected delete-all)
• Added DELETE /api/v1/gods/{id} — targeted deletion only
• Extracted GetGodById and SearchGodsByName from anonymous lambdas into named static methods with validation

Input validation

• AddOrUpdateGods: rejects empty lists and batches > 100 items → 400 BadRequest
• GetGodById: rejects id ≤ 0 → 400 BadRequest; missing god → 404 NotFound
• SearchGodsByName: rejects empty/whitespace names → 400 BadRequest

Model constraints (GodInput)

[Required]
[StringLength(100, MinimumLength = 1)]
public string Name { get; set; } = null!;

[Required]
[StringLength(500, MinimumLength = 1)]
public string Description { get; set; } = null!;

SQL injection fix

Replaced FromSqlRaw with string interpolation in GetGodByNameAsync with parameterized EF.Functions.Like() LINQ queries — including alias search path.

Repository interface

• GetGodAsync now returns God? + FirstOrDefaultAsync (was throwing on missing records)
• DeleteAllGodsAsync removed; DeleteGodByIdAsync(GodParameter) added

Original prompt

Starte Issue 35

[Chronological Review: The conversation began with the user requesting the latest 5 issues in the repository. Following that, the user instructed to start Issue 35, indicating a focus on managing issues within a project repository.] [Intent Mapping: 1. "Was sind die neuesten 5 issues im repo?" - The user is looking for the most recent issues in the repository. 2. "Starte Issue 35" - The user wants to initiate or create Issue 35, indicating a need to address a specific task or bug in the project.] [Technical Inventory: The conversation involves a project repository, likely hosted on a platform like GitHub or GitLab, where issues are tracked and managed.] [Code Archaeology: No specific files or code changes were discussed in detail, but the context suggests interaction with a repository's issue tracking system.] [Progress Assessment: The user has not yet received the latest issues and has initiated a new issue (Issue 35), indicating ongoing project management.] [Context Validation: The user is actively managing issues in a project repository, specifically looking for recent issues and starting a new one.] [Recent Commands Analysis: - Last Agent Commands: The user requested the latest issues and then commanded to start Issue 35. - Tool Results Summary: No specific tool results were returned as the commands were user requests rather than tool executions. - Pre-Summary State: The agent was focused on retrieving issue information and starting a new issue when the token budget was exceeded. - Operation Context: These commands relate to the user's goal of managing project tasks effectively by keeping track of issues and addressing them promptly.]

1. Conversation Overview: - Primary Objectives: 1. "Was sind die neuesten 5 issues im repo?" - The user seeks the latest issues in the repository. 2. "Starte Issue 35" - The user intends to initiate Issue 35. - Session Context: The conversation revolves around managing issues in a project repository, with the user actively seeking information and taking action on issues. - User Intent Evolution: The user started by wanting to gather information about recent issues and then moved to actively create a new issue, indicating a proactive approach to project management.

2. Technical Foundation:

• Repository Management: The conversation involves managing issues within a project repository, likely using a platform like GitHub or GitLab.

3. Codebase Status:

• No specific files or code changes were discussed, but the context indicates interaction with the repository's issue tracking system.

4. Problem Resolution:

• Issues Encountered: The user has not yet received the latest issues, which may indicate a need for better visibility into project tasks.
• Solutions Implemented: The user has taken the initiative to start a new issue, demonstrating a hands-on approach to project management.

5. Progress Tracking:

• Completed Tasks: The user has requested the latest issues but has not yet received them.
• Partially Complete Work: The user has initiated Issue 35, indicating ongoing work on project tasks.

6. Active Work State:

• Current Focus: The user was focused on retrieving the latest issues and starting Issue 35.
• Recent Context: The last few exchanges involved requests for issue information and the initiation of a new issue.
• Immediate Context: The user was actively managing issues in the repository when the token budget was exceeded.

7. Recent Operations:

• Last Agent Commands:
  1. "Was sind die neuesten 5 issues im repo?" - Request for recent issues.
  2. "Starte Issue 35" - Command to start a new issue.
• Tool Results Summary: No specific results were returned as these were user commands.
• Pre-Summary State: The agent was engaged in managing project issues when the token budget was exceeded.
• Operation Context: The commands executed are directly related to the user's goal of effectively managing project tasks and issues.

8. Continuation Plan:

• Pending Task 1: Retrieve the latest 5 issues from the repository.
• Pending Task 2: Provide details or context for Issue 35 that the user has initiated.
• Priority Information: The immediate next step is to fetch the latest issues to keep the user informed.
• Next Action: Execute the command to retrieve the latest issues in the repository.

Created from VS Code.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.