logo

Database

Email uniqueness not properly verified

Need

Ensure email uniqueness verification during registration process

Context

• Usage of Dart for building cross-platform mobile, web, and desktop applications

• Usage of Shelf for managing and organizing data in a Node.js application

Description

1. Non compliant code

import 'package:shelf/shelf.dart' as shelf;

class User {
  String email;
  User(this.email);
}

...

In the above Dart code, we have a simple user registration system using the Shelf framework. The `handleRegister` function is responsible for handling the user registration process. The function first retrieves the email from the request's query parameters. It then checks if the email is already registered by iterating over the `users` list and comparing each user's email with the provided email. If the email is found in the list, the function returns a response indicating that the email is already registered. Otherwise, it creates a new `User` object with the provided email and adds it to the `users` list. Finally, it returns a response indicating that the registration was successful. The vulnerability here is that the system allows the plus character in the email registration process. This means that an attacker could use the same email with different plus suffixes to create multiple accounts. For example, an attacker could register `attacker@gmail.com`, `attacker+1@gmail.com`, and `attacker+2@gmail.com`, and all these emails would be treated as separate accounts by the system, even though they all point to the same email address.

2. Steps

• Normalize the email address before storing and comparing it. This can be done by removing all characters after and including the '+' sign in the local part of the email address.

• Implement a function to validate the email format. This function should check if the email contains a '+' character. If it does, the function should remove everything from the '+' character to the end of the local part of the email address.

• Use this function to normalize the email address in the 'handleRegister' function before checking if the email is already registered and before storing the new user's email.

• Ensure that this normalization process is applied consistently throughout the application, wherever email addresses are processed or compared.

3. Secure code example

import 'package:shelf/shelf.dart' as shelf;

class User {
  String email;
  User(this.email);
}

...

The updated code includes a new function `normalizeEmail` that normalizes the email address by removing all characters after and including the '+' sign in the local part of the email address. This function is used in the `handleRegister` function to normalize the email address before checking if the email is already registered and before storing the new user's email. The `normalizeEmail` function works by splitting the email address into the local part and the domain part. If the local part contains a '+' character, the function removes everything from the '+' character to the end of the local part. The function then returns the normalized email address. In the `handleRegister` function, the email address from the request is first normalized using the `normalizeEmail` function. The normalized email address is then used to check if the email is already registered and to store the new user's email. This normalization process ensures that email addresses are consistently processed and compared throughout the application, preventing an attacker from abusing the '+' character to create several accounts with the same email address.