Lack of Data Validation

Lack of Data Validation - Out of Range

Need

Prevent unauthorized access to restricted functionalities

Context

• Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications

• Usage of Plug for request routing

Description

1. Non compliant code

defmodule MyAppWeb.EmployeeController do
  use MyAppWeb, :controller

  def show(conn, params) do
    # No domain restriction validation
    employee = MyApp.get_employee(params["id"])
    render(conn, "show.html", employee: employee)
end...

This code is vulnerable because it doesn't validate if the user is authorized to access the employee management panel based on their domain. An attacker can bypass the restrictions by using absolute paths to the employee management panel.

2. Steps

• Add a function to validate if the user is authorized to access the employee management panel based on their domain.

• Before calling 'MyApp.get_employee', call this validation function. If the validation fails, return an error response.

3. Secure code example

defmodule MyAppWeb.EmployeeController do
  use MyAppWeb, :controller

  def show(conn, params) do
    if authorized_domain?(conn) do
      employee = MyApp.get_employee(params["id"])
      render(conn, "show.html", employee: employee)
      send_resp(conn, 403, "Access Denied")...

This code is safe because it validates if the user is authorized to access the employee management panel based on their domain. If the user is not authorized, it returns an 'Access Denied' response.

References

• 198. Lack of Data Validation - Out of Range

On this page