HTTP Parameter Pollution - Elixir

Need

Prevent unexpected behavior due to injection of extra HTTP parameters

Context

1. Usage of Elixir for building scalable and fault-tolerant applications
2. Usage of Plug Cowboy for building web applications in Elixir
3. Usage of HTTP parameter validation
4. Usage of input sanitization for protecting against malicious user input

Description

Insecure Code Example

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/" do
    send_resp(conn, 200, "Hello, #{conn.params["name"]}")
  end

  match _ do
    send_resp(conn, 404, "Oops, not found!")
  end
end

This Elixir code is vulnerable because it does not perform validation and sanitization on the incoming parameters. This allows injection of extra parameters which can cause unexpected behavior.

Steps

1. Validate the incoming parameters to ensure they are as expected.
2. Sanitize the parameters to remove any potential harmful data.

Secure Code Example

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/" do
    name = Map.get(conn.params, "name", "")
    name = String.replace(name, "<>", "")
    send_resp(conn, 200, "Hello, #{name}")
  end

  match _ do
    send_resp(conn, 404, "Oops, not found!")
  end
end

This Elixir code is safe because it includes validation and sanitization of incoming parameters. It checks that the 'name' parameter exists and removes any potential harmful data.

References

Last updated

2023/09/18