Problem Statement
DevPath does not implement request validation on skill assessment API endpoints, allowing users to submit invalid or malicious payloads that crash the assessment engine or cause incorrect skill level calculations. Attackers can manipulate responses to claim false skill levels.
Root Cause Analysis
Assessment endpoints lack input schema validation. No bounds checking on score values. Malformed JSON or unexpected data types cause unhandled exceptions. No rate limiting prevents test submission spam.
Solution Overview
- Implement strict input validation using JSON schema validation library
- Add type checking and bounds verification on all inputs
- Implement rate limiting on assessment submissions
- Add comprehensive error handling with safe error messages
- Implement assessment answer verification against solution key
- Add tamper detection (verify responses match expected submission flow)
- Log suspicious assessment attempts
Type of Change
Testing Done
Environment
- Node.js 18.x+
- JSON schema validator
- Test input fuzzing
Manual Testing Steps
Test Case 1: Invalid score submission
- Submit skill assessment with score: 999999 (invalid)
- Observe response
Expected: Request rejected with validation error
Actual: Score accepted, user skill level inflated to unrealistic level
Test Case 2: Malformed JSON
- Submit: "{broken json: unclosed"
- Check error handling
Expected: Graceful 400 Bad Request response
Actual: Server crashes with 500 error
Related Issue
Prevents skill level fraud and maintains assessment integrity.
Suggested Labels
bug, level:intermediate, gssoc26, security, validation, assessment, input-validation
Problem Statement
DevPath does not implement request validation on skill assessment API endpoints, allowing users to submit invalid or malicious payloads that crash the assessment engine or cause incorrect skill level calculations. Attackers can manipulate responses to claim false skill levels.
Root Cause Analysis
Assessment endpoints lack input schema validation. No bounds checking on score values. Malformed JSON or unexpected data types cause unhandled exceptions. No rate limiting prevents test submission spam.
Solution Overview
Type of Change
Testing Done
Environment
Manual Testing Steps
Test Case 1: Invalid score submission
Expected: Request rejected with validation error
Actual: Score accepted, user skill level inflated to unrealistic level
Test Case 2: Malformed JSON
Expected: Graceful 400 Bad Request response
Actual: Server crashes with 500 error
Related Issue
Prevents skill level fraud and maintains assessment integrity.
Suggested Labels
bug, level:intermediate, gssoc26, security, validation, assessment, input-validation