Lack of data validation - Headers
Need
Implementation of proper data validation for HTTP headers
Context
• Usage of Dart for building cross-platform mobile, web, and desktop applications
• Usage of Shelf for managing and organizing data in a Node.js application
Description
1. Non compliant code
import 'package:shelf/shelf.dart' as shelf;
shelf.Response handleRequest(shelf.Request request) {
  var name = request.headers['name'];
  var data = request.headers['data'];
  //... rest of the code
}The `handleRequest` function in the above code snippet is handling an incoming HTTP request. Here, it extracts the 'name' and 'data' headers from the request without any form of validation. This lack of validation leaves the application vulnerable to attacks as attackers can inject malicious values into these headers. For example, an attacker could potentially exploit this vulnerability to carry out a Cross-Site Scripting (XSS) attack by injecting JavaScript code into the 'name' or 'data' header. When this code is used by the server, it could lead to unintended consequences such as the execution of malicious scripts, data theft, or even server compromise. Another potential issue is that the integrity of stored information could be compromised. If the header values are used in database queries without proper sanitization, it could lead to SQL Injection attacks. Therefore, it's crucial to validate all incoming data, including HTTP headers, to ensure its integrity and safety.
2. Steps
• Validate the headers before using them. This can be done by checking if the header values match a certain pattern or if they are within a certain range.
• Sanitize the headers to remove any potentially harmful characters. This can be done using a library or function that is designed for this purpose.
• Implement a whitelist of acceptable header values. Any headers not on the whitelist should be rejected.
• Use a web application firewall (WAF) to filter out malicious headers.
• Encode the headers before storing or displaying them to prevent XSS attacks.
• Implement error handling to handle cases where invalid headers are provided.
3. Secure code example
import 'package:shelf/shelf.dart' as shelf;
shelf.Response handleRequest(shelf.Request request) {
  var name = request.headers['name'];
  var data = request.headers['data'];
  // Validate the headers
    return new shelf.Response(400, body: 'Invalid headers');...The updated code includes validation and sanitization of the HTTP headers. The `isValidHeader` function is used to validate the headers. This function should contain the logic to check if the header values match a certain pattern or if they are within a certain range. If the headers are not valid, the function returns a 400 response with the message 'Invalid headers'. The `sanitizeHeader` function is used to sanitize the headers. This function should contain the logic to remove any potentially harmful characters from the headers. These changes help to prevent different values from being injected into the headers, which could lead to XSS attacks or compromise the integrity of the stored information. Please note that this is a basic example and the validation and sanitization logic should be adapted according to your specific needs and the nature of the headers you are working with. In addition to these changes, it is recommended to implement a whitelist of acceptable header values, use a web application firewall (WAF) to filter out malicious headers, encode the headers before storing or displaying them to prevent XSS attacks, and implement error handling to handle cases where invalid headers are provided.
References
• 195. Lack of data validation - Headers