AI-coding hygiene

no-unvalidated-input

Flag `as T` / `satisfies T` on `req.body`, `req.query`, `req.params`, `await request.json()`, etc.

AI tools love to "make TypeScript happy" by asserting the shape of untrusted runtime data: `const body = req.body as CreateUserInput;`. The type system is satisfied; the runtime is not. Mass-assignment, NoSQL injection, and undefined-property crashes all follow downstream. The rule is intentionally narrow — only fires on assertions targeting known untrusted request properties, and skips `as any`/`as unknown` (those are widening, not narrowing).

Behavior

• Fixable: No.
• Suggestions: No.

Examples

Bad:

const body = req.body as CreateUserInput;

Good:

const body = userSchema.parse(req.body);

Related rules

• no-unsafe-mass-assignmentFlag `Object.assign(user, req.body)` and `{ ...model, ...req.body }` shapes.
• no-sql-injectionFlag SQL queries built by `+` concatenation or template-literal interpolation.
• no-leaked-stack-traceForbid HTTP responses that include a stack trace or the raw caught-exception object.

Use it

Enable no-unvalidated-input in your eslint.config.js:

import deslint from '@deslint/eslint-plugin';

export default [
  {
    plugins: { deslint },
    rules: {
      'deslint/no-unvalidated-input': 'error',
    },
  },
];

Found a false positive? Report it on GitHub →

← Back to all rules