Skip to content

Verify Zod schema validation for FederalTaxInput at HTTP boundaries #243

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
MightyPrytanis merged 1 commit into from
Jan 14, 2026
Merged

Verify Zod schema validation for FederalTaxInput at HTTP boundaries #243

MightyPrytanis merged 1 commit into from
Jan 14, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 14, 2026
edited
Loading

Confirmed that Zod schema validation has been properly implemented to address CodeRabbit's security review feedback on PR #238.

Validation Implementation

  • Schema Definition: FederalTaxInputSchema in tax-formulas.ts (lines 520-537)

    • Required fields: year (2018-2025), filingStatus (enum), wages (non-negative)
    • Optional fields with proper constraints (non-negative numbers, integer counts)

  • Boundary Validation: Applied in http-bridge.ts at both endpoints

    • /api/forecast/tax (lines 1059-1071)
    • /api/forecast/tax/pdf (lines 1100-1112)
    • Uses safeParse() with 400 error responses on invalid input
    • Only validated data passed to calculateFederal()
const { calculateFederal, FederalTaxInputSchema } = await import('./modules/forecast/formulas/tax-formulas.js');

const validationResult = FederalTaxInputSchema.safeParse(forecast_input);
if (!validationResult.success) {
  return res.status(400).json({
    success: false,
    error: 'Invalid forecast_input data',
    details: validationResult.error.issues
  });
}

const calculatedValues = calculateFederal(validationResult.data);

Notes

The ForecastHttpRequestSchema still uses z.any() for initial parsing to avoid circular dependencies, but strict validation occurs in the handler before calculation functions are called. This pattern satisfies the security requirement of validating all user inputs at API boundaries.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI mentioned this pull request Jan 14, 2026
Open
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 14, 2026

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

@codacy-production
Copy link

codacy-production bot commented Jan 14, 2026

Codacy's Analysis Summary

0 new issue (≤ 0 issue)
0 new security issue

Review Pull Request in Codacy →

AI Reviewer available: add the codacy-review label to get contextual insights without leaving GitHub.

@MightyPrytanis MightyPrytanis marked this pull request as ready for review January 14, 2026 18:42
Copilot AI changed the title [WIP] Fix main functionality based on review feedback Verify Zod schema validation for FederalTaxInput at HTTP boundaries Jan 14, 2026
@MightyPrytanis MightyPrytanis merged commit ca971bf into restore-clean-main Jan 14, 2026
4 of 5 checks passed
@MightyPrytanis MightyPrytanis deleted the copilot/sub-pr-238 branch January 14, 2026 18:42
Copilot AI requested a review from MightyPrytanis January 14, 2026 18:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MightyPrytanis MightyPrytanis Awaiting requested review from MightyPrytanis

Assignees

Copilot code review Copilot

@MightyPrytanis MightyPrytanis

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MightyPrytanis