Bug: Input validation occurs after sanitization

## Description

In `api.py`, input sanitization (HTML escaping) is applied BEFORE validation, which means the validation logic operates on the sanitized string rather than the original user input.

## Location

- **File:** `HF_files/aibom-generator/src/aibom-generator/api.py`
- **Line:** 588-591

## Current Code

```python
sanitized_model_id = html.escape(model_id)  # Line 588 - sanitize first
if not is_valid_hf_input(sanitized_model_id):  # Line 591 - validate sanitized
```

## Security Concern

1. Validation should check the **raw** input to detect malicious patterns
2. Sanitization should happen **after** validation passes
3. Current order could allow certain injection patterns to pass validation after being transformed by `html.escape()`

## Expected Behavior

```python
# Validate raw input first
if not is_valid_hf_input(model_id):
    return error_response("Invalid model ID")

# Then sanitize for use
sanitized_model_id = html.escape(model_id)
```

## Impact

- Potential security bypass if malicious input is transformed by sanitization into valid-looking input
- Inconsistent with secure coding best practices (OWASP guidelines recommend validate-then-sanitize)

## References

- [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bug: Input validation occurs after sanitization #14

Description

Location

Current Code

Security Concern

Expected Behavior

Impact

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Bug: Input validation occurs after sanitization #14

Description

Description

Location

Current Code

Security Concern

Expected Behavior

Impact

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions