Lack of data validation - Trust boundary violation
Need
To prevent potential security vulnerabilities due to trusting and mixing untrusted data in the same data structure or structured message.
Context
• Usage of Elixir for building scalable and fault-tolerant applications
• Usage of Elixir for building scalable and fault-tolerant applications
• Usage of user-provided data without validation
Description
1. Non compliant code
defmodule VulnerableApp do
def handle_request(params) do
{:ok, message} = build_message(params)
send_message(message)
end
defp build_message(params) do
end...This Elixir code directly includes user-provided data in a structured message without any validation or sanitization. An attacker can potentially manipulate the message to introduce malicious payloads.
2. Steps
• Validate user-provided data before including it in structured messages or data structures.
• Sanitize user-provided data to remove any potentially malicious payloads.
• Consider using parameterized queries or prepared statements for database operations to prevent SQL Injection attacks.
3. Secure code example
defmodule SecureApp do
def handle_request(params) do
sanitized_params = sanitize(params)
case validate(sanitized_params) do
:ok -> {:ok, message} = build_message(sanitized_params)
send_message(message)
{:error, reason} -> {:error, reason}
end...This Elixir code validates and sanitizes user-provided data before including it in a structured message, thereby preventing potential injection attacks.