From 0b612ed88955f5fe07246da24dadb8d71cd5a0cf Mon Sep 17 00:00:00 2001
From: Rui Tome <rtome@bitwarden.com>
Date: Wed, 7 Jan 2026 16:26:46 +0000
Subject: [PATCH] Implement model validation in PolicyDataValidator and enhance
 error handling

Added a ValidateModel method to enforce validation rules for policy data. Updated error messages to provide clearer feedback on validation failures. Enhanced unit tests to cover new validation scenarios for MinLength and MinComplexity properties.
---
 .../Utilities/PolicyDataValidator.cs          | 21 ++++++++++++--
 .../Utilities/PolicyDataValidatorTests.cs     | 29 ++++++++++++++++++-
 2 files changed, 46 insertions(+), 4 deletions(-)

diff --git a/src/Core/AdminConsole/Utilities/PolicyDataValidator.cs b/src/Core/AdminConsole/Utilities/PolicyDataValidator.cs
index 84e63f2a20..d533ca88cf 100644
--- a/src/Core/AdminConsole/Utilities/PolicyDataValidator.cs
+++ b/src/Core/AdminConsole/Utilities/PolicyDataValidator.cs
@@ -1,4 +1,5 @@
-using System.Text.Json;
+using System.ComponentModel.DataAnnotations;
+using System.Text.Json;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
@@ -30,7 +31,8 @@ public static class PolicyDataValidator
             switch (policyType)
             {
                 case PolicyType.MasterPassword:
-                    CoreHelpers.LoadClassFromJsonData<MasterPasswordPolicyData>(json);
+                    var masterPasswordData = CoreHelpers.LoadClassFromJsonData<MasterPasswordPolicyData>(json);
+                    ValidateModel(masterPasswordData, policyType);
                     break;
                 case PolicyType.SendOptions:
                     CoreHelpers.LoadClassFromJsonData<SendOptionsPolicyData>(json);
@@ -44,11 +46,24 @@ public static class PolicyDataValidator
         }
         catch (JsonException ex)
         {
-            var fieldInfo = !string.IsNullOrEmpty(ex.Path) ? $": field '{ex.Path}' has invalid type" : "";
+            var fieldName = !string.IsNullOrEmpty(ex.Path) ? ex.Path.TrimStart('$', '.') : null;
+            var fieldInfo = !string.IsNullOrEmpty(fieldName) ? $": {fieldName} has an invalid value" : "";
             throw new BadRequestException($"Invalid data for {policyType} policy{fieldInfo}.");
         }
     }
 
+    private static void ValidateModel(object model, PolicyType policyType)
+    {
+        var validationContext = new ValidationContext(model);
+        var validationResults = new List<ValidationResult>();
+
+        if (!Validator.TryValidateObject(model, validationContext, validationResults, true))
+        {
+            var errors = string.Join(", ", validationResults.Select(r => r.ErrorMessage));
+            throw new BadRequestException($"Invalid data for {policyType} policy: {errors}");
+        }
+    }
+
     /// <summary>
     /// Validates and deserializes policy metadata based on the policy type.
     /// </summary>
diff --git a/test/Core.Test/AdminConsole/Utilities/PolicyDataValidatorTests.cs b/test/Core.Test/AdminConsole/Utilities/PolicyDataValidatorTests.cs
index 43725d23e0..2c94634f7f 100644
--- a/test/Core.Test/AdminConsole/Utilities/PolicyDataValidatorTests.cs
+++ b/test/Core.Test/AdminConsole/Utilities/PolicyDataValidatorTests.cs
@@ -19,12 +19,17 @@ public class PolicyDataValidatorTests
     [Fact]
     public void ValidateAndSerialize_ValidData_ReturnsSerializedJson()
     {
-        var data = new Dictionary<string, object> { { "minLength", 12 } };
+        var data = new Dictionary<string, object>
+        {
+            { "minLength", 12 },
+            { "minComplexity", 4 }
+        };
 
         var result = PolicyDataValidator.ValidateAndSerialize(data, PolicyType.MasterPassword);
 
         Assert.NotNull(result);
         Assert.Contains("\"minLength\":12", result);
+        Assert.Contains("\"minComplexity\":4", result);
     }
 
     [Fact]
@@ -56,4 +61,26 @@ public class PolicyDataValidatorTests
 
         Assert.IsType<OrganizationModelOwnershipPolicyModel>(result);
     }
+
+    [Fact]
+    public void ValidateAndSerialize_ExcessiveMinLength_ThrowsBadRequestException()
+    {
+        var data = new Dictionary<string, object> { { "minLength", 129 } };
+
+        var exception = Assert.Throws<BadRequestException>(() =>
+            PolicyDataValidator.ValidateAndSerialize(data, PolicyType.MasterPassword));
+
+        Assert.Contains("Invalid data for MasterPassword policy", exception.Message);
+    }
+
+    [Fact]
+    public void ValidateAndSerialize_ExcessiveMinComplexity_ThrowsBadRequestException()
+    {
+        var data = new Dictionary<string, object> { { "minComplexity", 5 } };
+
+        var exception = Assert.Throws<BadRequestException>(() =>
+            PolicyDataValidator.ValidateAndSerialize(data, PolicyType.MasterPassword));
+
+        Assert.Contains("Invalid data for MasterPassword policy", exception.Message);
+    }
 }