1---
2title: Validate All Input with DTOs and Pipes
3impact: HIGH
4impactDescription: First line of defense against attacks
5tags: security, validation, dto, pipes
6---
7 
8## Validate All Input with DTOs and Pipes
9 
10Always validate incoming data using class-validator decorators on DTOs and the global ValidationPipe. Never trust user input. Validate all request bodies, query parameters, and route parameters before processing.
11 
12**Incorrect (trust raw input without validation):**
13 
14```typescript
15// Trust raw input without validation
16@Controller('users')
17export class UsersController {
18  @Post()
19  create(@Body() body: any) {
20    // body could contain anything - SQL injection, XSS, etc.
21    return this.usersService.create(body);
22  }
23 
24  @Get()
25  findAll(@Query() query: any) {
26    // query.limit could be "'; DROP TABLE users; --"
27    return this.usersService.findAll(query.limit);
28  }
29}
30 
31// DTOs without validation decorators
32export class CreateUserDto {
33  name: string;    // No validation
34  email: string;   // Could be "not-an-email"
35  age: number;     // Could be "abc" or -999
36}
37```
38 
39**Correct (validated DTOs with global ValidationPipe):**
40 
41```typescript
42// Enable ValidationPipe globally in main.ts
43async function bootstrap() {
44  const app = await NestFactory.create(AppModule);
45 
46  app.useGlobalPipes(
47    new ValidationPipe({
48      whitelist: true,              // Strip unknown properties
49      forbidNonWhitelisted: true,   // Throw on unknown properties
50      transform: true,              // Auto-transform to DTO types
51      transformOptions: {
52        enableImplicitConversion: true,
53      },
54    }),
55  );
56 
57  await app.listen(3000);
58}
59 
60// Create well-validated DTOs
61import {
62  IsString,
63  IsEmail,
64  IsInt,
65  Min,
66  Max,
67  IsOptional,
68  MinLength,
69  MaxLength,
70  Matches,
71  IsNotEmpty,
72} from 'class-validator';
73import { Transform, Type } from 'class-transformer';
74 
75export class CreateUserDto {
76  @IsString()
77  @IsNotEmpty()
78  @MinLength(2)
79  @MaxLength(100)
80  @Transform(({ value }) => value?.trim())
81  name: string;
82 
83  @IsEmail()
84  @Transform(({ value }) => value?.toLowerCase().trim())
85  email: string;
86 
87  @IsInt()
88  @Min(0)
89  @Max(150)
90  age: number;
91 
92  @IsString()
93  @MinLength(8)
94  @MaxLength(100)
95  @Matches(/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)/, {
96    message: 'Password must contain uppercase, lowercase, and number',
97  })
98  password: string;
99}
100 
101// Query DTO with defaults and transformation
102export class FindUsersQueryDto {
103  @IsOptional()
104  @IsString()
105  @MaxLength(100)
106  search?: string;
107 
108  @IsOptional()
109  @Type(() => Number)
110  @IsInt()
111  @Min(1)
112  @Max(100)
113  limit: number = 20;
114 
115  @IsOptional()
116  @Type(() => Number)
117  @IsInt()
118  @Min(0)
119  offset: number = 0;
120}
121 
122// Param validation
123export class UserIdParamDto {
124  @IsUUID('4')
125  id: string;
126}
127 
128@Controller('users')
129export class UsersController {
130  @Post()
131  create(@Body() dto: CreateUserDto): Promise<User> {
132    // dto is guaranteed to be valid
133    return this.usersService.create(dto);
134  }
135 
136  @Get()
137  findAll(@Query() query: FindUsersQueryDto): Promise<User[]> {
138    // query.limit is a number, query.search is sanitized
139    return this.usersService.findAll(query);
140  }
141 
142  @Get(':id')
143  findOne(@Param() params: UserIdParamDto): Promise<User> {
144    // params.id is a valid UUID
145    return this.usersService.findById(params.id);
146  }
147}
148```
149 
150Reference: [NestJS Validation](https://docs.nestjs.com/techniques/validation)
151