Lack of data validation - Trust boundary violation - Elixir

Need

To prevent potential security vulnerabilities due to trusting and mixing untrusted data in the same data structure or structured message.

Context

1. Usage of Elixir for building scalable and fault-tolerant applications
2. Usage of Elixir for building scalable and fault-tolerant applications
3. Usage of user-provided data without validation

Description

Insecure Code Example

defmodule VulnerableApp do
  def handle_request(params) do
    {:ok, message} = build_message(params)
    send_message(message)
  end

  defp build_message(params) do
    {:ok, "Hello #{params[:name]}, your account balance is #{params[:balance]}"}
  end
end

This Elixir code directly includes user-provided data in a structured message without any validation or sanitization. An attacker can potentially manipulate the message to introduce malicious payloads.

Steps

1. Validate user-provided data before including it in structured messages or data structures.
2. Sanitize user-provided data to remove any potentially malicious payloads.
3. Consider using parameterized queries or prepared statements for database operations to prevent SQL Injection attacks.

Secure Code Example

defmodule SecureApp do
  def handle_request(params) do
    sanitized_params = sanitize(params)
    case validate(sanitized_params) do
      :ok -> {:ok, message} = build_message(sanitized_params)
               send_message(message)
      {:error, reason} -> {:error, reason}
    end
  end

  defp build_message(params) do
    {:ok, "Hello #{params[:name]}, your account balance is #{params[:balance]}"}
  end
end

This Elixir code validates and sanitizes user-provided data before including it in a structured message, thereby preventing potential injection attacks.

References

Last updated

2023/09/18