Lack of Data Validation - Dates
Need
Prevent unauthorized changes to product data by validating permissions and data before processing requests
Context
• Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
• Usage of Phoenix Framework for request handling
Description
1. Non compliant code
defmodule MyAppWeb.ProductController do
use MyAppWeb, :controller
def update(conn, params) do
# No permissions or date validation
MyApp.update_product(params)
send_resp(conn, 200, "Product updated")
end...This code is vulnerable because it doesn't validate the permissions or the dates in 'params' before updating the product. An attacker can ignore frontend restrictions and send a request that the server processes as valid, potentially causing data integrity and availability issues.
2. Steps
• Add a function to check if the current user has permission to modify the product.
• Add another function to validate the dates in 'params' before updating the product.
• Before calling 'MyApp.update_product', call these two functions. If either check fails, return an error response.
3. Secure code example
defmodule MyAppWeb.ProductController do
use MyAppWeb, :controller
def update(conn, params) do
if MyApp.check_permissions(conn) && validate_dates(params) do
MyApp.update_product(params)
send_resp(conn, 200, "Product updated")
send_resp(conn, 403, "Invalid request")...This code is safe because it checks permissions and validates dates before updating the product. If the request fails these checks, it returns an error response instead of processing an invalid or unauthorized request.
References
• 196. Lack of Data Validation - Dates