oh-my-ai/nestjs
NestJS architecture, dependency injection, validation, security, errors, testing, persistence, APIs, microservices, and deployment patterns with prioritized rule tiers and companion rule files.
99
1.12x
Quality
100%
Does it follow best practices?
Impact
97%
1.12xAverage score across 2 eval scenarios
Securityby
Advisory
Suggest reviewing before use
security-validate-all-input.mdrules/
- name:
- security-validate-all-input
- description:
- Validate All Input with DTOs and Pipes — First line of defense against attacks
- title:
- Validate All Input with DTOs and Pipes
- impact:
- HIGH
- impactDescription:
- First line of defense against attacks
- tags:
- security, validation, dto, pipes
Validate All Input with DTOs and Pipes
Always validate incoming data using class-validator decorators on DTOs and the global ValidationPipe. Never trust user input. Validate all request bodies, query parameters, and route parameters before processing.
Incorrect (trust raw input without validation):
// Trust raw input without validation
@Controller('users')
export class UsersController {
@Post()
create(@Body() body: any) {
// body could contain anything - SQL injection, XSS, etc.
return this.usersService.create(body);
}
@Get()
findAll(@Query() query: any) {
// query.limit could be "'; DROP TABLE users; --"
return this.usersService.findAll(query.limit);
}
}
// DTOs without validation decorators
export class CreateUserDto {
name: string; // No validation
email: string; // Could be "not-an-email"
age: number; // Could be "abc" or -999
}Correct (validated DTOs with global ValidationPipe):
// Enable ValidationPipe globally in main.ts
async function bootstrap() {
const app = await NestFactory.create(AppModule);
app.useGlobalPipes(
new ValidationPipe({
whitelist: true, // Strip unknown properties
forbidNonWhitelisted: true, // Throw on unknown properties
transform: true, // Auto-transform to DTO types
transformOptions: {
enableImplicitConversion: true,
},
}),
);
await app.listen(3000);
}
// Create well-validated DTOs
import {
IsString,
IsEmail,
IsInt,
Min,
Max,
IsOptional,
MinLength,
MaxLength,
Matches,
IsNotEmpty,
} from 'class-validator';
import { Transform, Type } from 'class-transformer';
export class CreateUserDto {
@IsString()
@IsNotEmpty()
@MinLength(2)
@MaxLength(100)
@Transform(({ value }) => value?.trim())
name: string;
@IsEmail()
@Transform(({ value }) => value?.toLowerCase().trim())
email: string;
@IsInt()
@Min(0)
@Max(150)
age: number;
@IsString()
@MinLength(8)
@MaxLength(100)
@Matches(/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)/, {
message: 'Password must contain uppercase, lowercase, and number',
})
password: string;
}
// Query DTO with defaults and transformation
export class FindUsersQueryDto {
@IsOptional()
@IsString()
@MaxLength(100)
search?: string;
@IsOptional()
@Type(() => Number)
@IsInt()
@Min(1)
@Max(100)
limit: number = 20;
@IsOptional()
@Type(() => Number)
@IsInt()
@Min(0)
offset: number = 0;
}
// Param validation
export class UserIdParamDto {
@IsUUID('4')
id: string;
}
@Controller('users')
export class UsersController {
@Post()
create(@Body() dto: CreateUserDto): Promise<User> {
// dto is guaranteed to be valid
return this.usersService.create(dto);
}
@Get()
findAll(@Query() query: FindUsersQueryDto): Promise<User[]> {
// query.limit is a number, query.search is sanitized
return this.usersService.findAll(query);
}
@Get(':id')
findOne(@Param() params: UserIdParamDto): Promise<User> {
// params.id is a valid UUID
return this.usersService.findById(params.id);
}
}Reference: NestJS Validation
evals
scenario-1
scenario-2
rules
_sections.md_template.mdapi-use-dto-serialization.mdapi-use-interceptors.mdapi-use-pipes.mdapi-versioning.mdarch-avoid-circular-deps.mdarch-feature-modules.mdarch-module-sharing.mdarch-single-responsibility.mdarch-use-events.mdarch-use-repository-pattern.mddb-avoid-n-plus-one.mddb-use-migrations.mddb-use-transactions.mddevops-graceful-shutdown.mddevops-use-config-module.mddevops-use-logging.mddi-avoid-service-locator.mddi-interface-segregation.mddi-liskov-substitution.mddi-prefer-constructor-injection.mddi-scope-awareness.mddi-use-interfaces-tokens.mderror-handle-async-errors.mderror-throw-http-exceptions.mderror-use-exception-filters.mdmicro-use-health-checks.mdmicro-use-patterns.mdmicro-use-queues.mdperf-async-hooks.mdperf-lazy-loading.mdperf-optimize-database.mdperf-use-caching.mdsecurity-auth-jwt.mdsecurity-rate-limiting.mdsecurity-sanitize-output.mdsecurity-use-guards.mdsecurity-validate-all-input.mdtest-e2e-supertest.mdtest-mock-external-services.mdtest-use-testing-module.md