From 10973790e976c06c94a99026f3123f39cfb6f3c0 Mon Sep 17 00:00:00 2001 From: anshul23102 Date: Tue, 2 Jun 2026 22:18:38 +0530 Subject: [PATCH] fix(tasks): add length validation to updateTask matching createTask limits [NSoC'26] createTask validated that title does not exceed 200 characters and description does not exceed 5000 characters. updateTask had no length validation, so an authenticated user could bypass creation-time limits by sending an oversized payload to PATCH /tasks/:id/edit. Added the same validation guards to updateTask so both creation and update paths enforce consistent input limits before writing to Supabase. Closes #162 --- backend/controllers/tasks.controller.js | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/backend/controllers/tasks.controller.js b/backend/controllers/tasks.controller.js index cb0aa5f..9f8709c 100644 --- a/backend/controllers/tasks.controller.js +++ b/backend/controllers/tasks.controller.js @@ -92,8 +92,28 @@ export const updateTask = async (req, res) => { const { title, description, status } = req.body; const updateFields = {}; - if (title !== undefined) updateFields.title = title; - if (description !== undefined) updateFields.description = description; + // Apply the same length limits as createTask so an authenticated user + // cannot bypass creation-time validation by patching an existing task. + if (title !== undefined) { + if (typeof title !== "string" || title.trim().length === 0) { + return res.status(400).json({ error: "Task title is required." }); + } + if (title.length > 200) { + return res.status(400).json({ error: "Task title must not exceed 200 characters." }); + } + updateFields.title = title; + } + if (description !== undefined) { + if (description !== null) { + if (typeof description !== "string") { + return res.status(400).json({ error: "Task description must be a string." }); + } + if (description.length > 5000) { + return res.status(400).json({ error: "Task description must not exceed 5000 characters." }); + } + } + updateFields.description = description; + } // Validate status if provided const validStatus = ["todo", "in_progress", "done"];