MEDIUM: No input validation before API calls

[sfloess]

Severity

Medium

Description

AI client sendMessage() methods lack input validation. No checks for:

• Null/empty messages
• Message length limits
• Invalid characters
• Encoding issues
• Injection attacks

Affected Files

All *Client.java files in all 9 AI modules

Examples of Missing Validation

// Current - NO validation
public String sendMessage(String message) {
    // What if message is null? Empty? 1MB of text?
    return apiClient.call(message);
}

Potential Issues

1. Null messages → NullPointerException
2. Empty messages → Wasted API calls
3. Oversized messages → API quota exceeded, request failures
4. Invalid encoding → Malformed JSON
5. Injection risks → Unescaped content in JSON

Recommended Fix

public String sendMessage(String message) {
    // Null check
    Objects.requireNonNull(message, "message cannot be null");
    
    // Empty check
    if (message.trim().isEmpty()) {
        throw new IllegalArgumentException("message cannot be empty");
    }
    
    // Length limit (varies by provider)
    if (message.length() > MAX_MESSAGE_LENGTH) {
        throw new IllegalArgumentException(
            "message exceeds maximum length of " + MAX_MESSAGE_LENGTH);
    }
    
    // Sanitize for JSON
    String sanitized = sanitizeForJson(message);
    
    return apiClient.call(sanitized);
}

Priority

Medium - Affects reliability but not security-critical