Skip to content

Validation: @NullOrNotBlank constraints not enforced on UpdateSelfRequest #42

New issue
New issue
Open
Open
Validation: @NullOrNotBlank constraints not enforced on UpdateSelfRequest#42
Labels
bugSomething isn't workingsecuritySecurity-related issues
@stanleykc

Description

@stanleykc
stanleykc
opened on Dec 31, 2025

Description

The custom @NullOrNotBlank validation constraints on UserController.UpdateSelfRequest fields are not being enforced. Requests with blank/whitespace-only values for firstName, lastName, and password are accepted instead of being rejected.

Current Behavior

The following request is accepted (HTTP 200 OK) when it should be rejected:

{
  "firstName": "   ",
  "lastName": "Valid"
}

This allows users to set their firstName to only whitespace characters.

Expected Behavior

  • null values should be accepted (field not updated)
  • Non-blank values should be accepted (field updated)
  • Blank/whitespace-only values should be rejected with HTTP 400 Bad Request

Affected Component

// UserController.java
@Serdeable
public record UpdateSelfRequest(
        @NullOrNotBlank String firstName,  // Not enforced
        @NullOrNotBlank String lastName,   // Not enforced
        @NullOrNotBlank String password)   // Not enforced

The NullOrNotBlankValidator class itself is correctly implemented:

public class NullOrNotBlankValidator implements ConstraintValidator<NullOrNotBlank, String> {
    @Override
    public boolean isValid(String value, ConstraintValidatorContext context) {
        return value == null || !value.trim().isEmpty();
    }
}

Security Implications

  • Users can set their password to whitespace only (appears blank but is a valid BCrypt hash)
  • Users can have names that are only whitespace, causing display/formatting issues

Root Cause Investigation

The validator implementation is correct. The issue is likely:

  1. Missing @Valid annotation on the @Body parameter
  2. Missing @Validated annotation on the controller
  3. Custom constraint validator not being picked up by Micronaut

Suggested Fix

Ensure validation is enabled on the endpoint:

@Patch("{id}")
public HttpResponse<UserResponse> selfPatch(@PathVariable Long id, 
                                            @Body @Valid UpdateSelfRequest requestDTO,
                                            Authentication authentication) {

Related Tests

Disabled tests documenting this behavior:

  • UserControllerValidationTest.selfPatch_failsWithBlankFirstName()
  • UserControllerValidationTest.selfPatch_failsWithBlankLastName()
  • UserControllerValidationTest.selfPatch_failsWithBlankPassword()

Unit tests confirming validator logic is correct:

  • NullOrNotBlankValidatorTest (all tests pass)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingsecuritySecurity-related issues

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions