Lack of data validation - Responses
Need
Maintain data integrity by server-side validation of input data
Context
• Usage of Elixir (1.12 and above) for building scalable and fault-tolerant applications
• Usage of Plug for request handling
Description
1. Non compliant code
defmodule UserController do
use MyApp.Web, :controller
def show(conn, params) do
user = Repo.get(User, params["id"])
render(conn, "show.json", user: user)
end
def update(conn, params) do...This code fetches a user record and sends it in the response, then takes user data from a subsequent request and updates the user record without any validation. If the received data is invalid, it could lead to data integrity issues.
2. Steps
• Validate the incoming data before updating the record.
• If the data is not valid, return an error response.
3. Secure code example
defmodule UserController do
use MyApp.Web, :controller
def show(conn, params) do
user = Repo.get(User, params["id"])
render(conn, "show.json", user: user)
end
def update(conn, params) do...In the secure code example, the incoming user data is validated before it is used to update the user record. If the data is not valid, an error response is returned. This prevents an attacker from submitting invalid data.
References
• 191. Lack of data validation - Responses