Lack of Data Validation - Reflected Parameters

Need

Prevent XSS vulnerabilities due to unvalidated user input in server error responses

Context

• Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications

• Usage of Phoenix framework for request handling

Description

1. Non compliant code

defmodule MyApp.ErrorHandlerController do
  use MyAppWeb, :controller

  def error(conn, %{'msg' => msg}) do
    send_resp(conn, 500, msg)
  end
end

This code is vulnerable because it directly includes the 'msg' parameter from the user input in the server error response without any validation or sanitization. This can lead to a Cross-Site Scripting (XSS) attack if a user includes malicious script in the 'msg' parameter.

2. Steps

• Install the 'phoenix_html' library if it's not already included in your project. This library provides functions to escape potentially unsafe characters.

• In the error function, use the 'Phoenix.HTML.html_escape/1' function to sanitize the 'msg' parameter before including it in the server response.

3. Secure code example

defmodule MyApp.ErrorHandlerController do
  use MyAppWeb, :controller

  def error(conn, %{'msg' => msg}) do
    sanitized_msg = Phoenix.HTML.html_escape(msg)
    send_resp(conn, 500, sanitized_msg)
  end
end

This code is secure because it uses the 'html_escape/1' function from the 'Phoenix.HTML' module to sanitize the 'msg' parameter. This function escapes potentially unsafe characters, thereby preventing any scripts included in the 'msg' parameter from being executed.

References

• 192. Lack of Data Validation - Reflected Parameters

On this page