Without server-side variant combination validation, a customer can construct a POST request to src/app/api/cart/route.ts with any arbitrary size and color values — including combinations that have no matching variant in the database. The cart then references a phantom record, checkout fails at payment time (or succeeds and fulfillment finds nothing to ship), and the error appears only after the customer has already paid. OWASP A03 (Injection) covers this class of untrusted input: the server must not act on client-supplied option values without confirming they map to a real record. Client-side filtering alone can be bypassed with curl in under ten seconds.
High because phantom variant combinations reach checkout and either produce fulfillment failures after payment or expose inventory state that the UI was meant to hide from the customer.
Add a database lookup in src/app/api/cart/route.ts that confirms the selected variant combination exists before the item is added to the cart — client-side filtering alone is not sufficient.
const variant = await prisma.productVariant.findFirst({
where: { productId, size, color },
})
if (!variant) {
return Response.json({ error: 'Invalid variant combination' }, { status: 400 })
}
Also validate in any server action that handles add-to-cart. Do not rely on <select> options being present in the client form — the request can be crafted independently of the UI.
ID: ecommerce-catalog.variant-pricing.variant-combination-validation
Severity: high
What to look for: Count all variant selection components and API endpoints in the codebase (e.g., src/components/product/VariantSelector.tsx, src/app/api/cart/route.ts). For each, check whether the code validates that a selected combination of options (size + color) actually exists as a variant before allowing add-to-cart. Look for a database query or lookup that confirms the combination exists.
Pass criteria: At least 1 validation path exists that checks whether a selected variant combination is valid before adding to cart. The validation queries the database or a preloaded variant list (not client-side-only filtering). Count all add-to-cart paths and report: "X of Y add-to-cart paths validate variant combinations."
Fail criteria: No validation exists in any add-to-cart path; a customer could select a combination that has no matching variant (e.g., size "XXL" + color "Neon Green" when that combination does not exist).
Do NOT pass when: Validation exists only on the frontend (client-side JavaScript filtering) but not on the server (API route or server action). Client-side validation alone can be bypassed.
Skip (N/A) when: The project has no variants — confirmed by absence of variant model and variant selection UI.
Cross-reference: For server-side input validation patterns, the API Security audit covers request validation and sanitization.
Cross-reference: For cart integrity and order validation, the Pre-Launch audit covers transactional data correctness.
Cross-reference: For variant selection accessibility, the Accessibility Fundamentals audit covers form control and disabled state patterns.
Detail on fail: "Variant selection in src/components/product/VariantSelector.tsx has no validation. Any combination of size/color can be selected, even if not available" or "No function found to validate variant combinations in src/app/api/cart/route.ts"
Remediation: Add validation logic to src/app/api/cart/route.ts:
const variant = await prisma.productVariant.findFirst({
where: {
productId,
size,
color,
},
})
if (!variant) {
throw new Error('Invalid variant combination')
}