Security audit: input validation, rate-limit memory leak, unsafe as any in code examples

[Copilot]

Code examples across the reference docs contained several security and correctness issues that developers could inadvertently replicate in production code.

Changes

Missing input validation in API route examples

• architecture-patterns.md — Next.js POST handler now parses the request body through CreateUserSchema.parse() before passing to the service layer
• framework-catalog.md — Server Action createUser now validates FormData via CreateUserSchema.parse() before calling the service

// Before — raw user input reaches service layer unchecked
export async function POST(req: Request) {
  const body = await req.json();
  const result = await UserService.create(body);
  ...
}

// After
export async function POST(req: Request) {
  const body = await req.json();
  const validated = CreateUserSchema.parse(body); // ← validate before passing to service
  const result = await UserService.create(validated);
  ...
}

withRateLimit memory leak (code-patterns.md)

The Map<string, number> accumulated every unique IP address forever. Replaced with a windowed counter Map<string, { count: number; resetAt: number }> — adds a windowMs parameter; entries reset per window instead of growing unboundedly.

Unsafe as any assertion in test example (testing-patterns.md)

createNotification("pigeon" as any) replaced with // @ts-expect-error, which is the correct TypeScript idiom for testing runtime rejection of invalid inputs without broadly suppressing type checking. Test call signature updated to match new withRateLimit(limit, windowMs, handler) API.

---

Checked but no changes needed: no hardcoded secrets (config uses env vars), CQRS SQL query uses parameterized $1, Python Singleton uses threading.Lock(), TypeScript Singleton is module-level in single-threaded Node.js, EventBus on() already returns an unsubscribe function, and anti-patterns.md already documents missing timeouts as a 🔴 High severity anti-pattern with the correct fix.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Review: Security audit cho tất cả code examples</issue_title>
<issue_description>Kiểm tra bảo mật cho tất cả code examples:

1. Có hardcoded secrets nào không?
2. Có SQL injection trong query examples?
3. Có thiếu input validation trong API route examples?
4. Singleton implementation có race condition không?
5. EventBus/Observer có memory leak không?
6. External API calls có missing timeout/retry?
7. Có as any unsafe type assertion không?

Mỗi vấn đề ghi rõ file, dòng, và cách fix.
</issue_description>

<agent_instructions>@github-copilot review this issue and analyze the repository
</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@VoDaiLocz @github-copilot review this issue and analyze the repository

• Fixes Review: Security audit cho tất cả code examples #2

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[VoDaiLocz]

Khắc phục 1: Thiếu xác thực đầu vào trong các ví dụ về tuyến API (,architecture-patterns.mdframework-catalog.md)
Khắc phục 2: rò rỉ bộ nhớ - Các mục nhập bản đồ không bao giờ hết hạn (withRateLimitcode-patterns.md)
Khắc phục 3: Xác nhận kiểu không an toàn trong ví dụ thử nghiệm → sử dụngas any@ts-expect-error (testing-patterns.md)
Khắc phục 4: Cập nhật chữ ký kiểm tra để khớp với tham số mới (withRateLimitwindowMstesting-patterns.md)
Khắc phục 5: Xác minh không có bí mật được mã hóa cứng, chèn SQL, điều kiện chạy đua singleton hoặc thiếu thời gian chờ (đã được xử lý trong các ví dụ hiện có)

[VoDaiLocz]

@copilot