Input Validation & Sanitization
How Gauzy validates and sanitizes all incoming data.
Validation Pipelineβ
class-validator DTOsβ
All input is validated using DTOs with class-validator decorators:
import { IsString, IsOptional, IsUUID, IsEnum } from "class-validator";
export class CreateTaskDTO {
@IsString()
title: string;
@IsOptional()
@IsString()
description?: string;
@IsUUID()
projectId: string;
@IsEnum(TaskStatusEnum)
status: TaskStatusEnum;
}
Validation Pipeβ
Applied via the @UseValidationPipe() decorator:
@Post('/')
@UseValidationPipe({ whitelist: true })
async create(@Body() entity: CreateTaskDTO) { ... }
Optionsβ
| Option | Description |
|---|---|
whitelist | Strip properties not in the DTO |
transform | Auto-transform to DTO types |
forbidNonWhitelisted | Throw error for unknown properties |
UUID Validation�β
All ID parameters are validated with UUIDValidationPipe:
@Get('/:id')
async findById(@Param('id', UUIDValidationPipe) id: string) { ... }
Query Parameter Validationβ
Query parameters use ParseJsonPipe and BaseQueryDTO:
@Get('/')
@UseValidationPipe()
async findAll(@Query() params: BaseQueryDTO<Task>) { ... }
SQL Injection Preventionβ
TypeORM and MikroORM both use parameterized queries, preventing SQL injection:
// β
SAFE: Parameterized
this.repository.findOne({ where: { id } });
// β UNSAFE: String interpolation
this.repository.query(`SELECT * FROM task WHERE id = '${id}'`);
Related Pagesβ
- API Security Best Practices β security overview
- File Upload Security β file validation