logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insufficient data authenticity validation - Elixir

Need

To prevent injection of potentially malicious characters into application fields

Context

  1. Usage of Elixir (version 1.12 and above) for building scalable and fault-tolerant applications
  2. Usage of Ecto.Repo for interacting with databases

Description

Insecure Code Example

defmodule MyApp.UserController do
  use MyApp.Web, :controller

  def update(conn, params) do
    user = MyApp.Repo.get!(User, params["id"])
    user = MyApp.Repo.update!(User.changeset(user, params))

    send_resp(conn, 200, "User data updated successfully")
  end
end

The Elixir code allows a user to update their data without performing any server-side validation or checks on the user input, which could lead to injection of potentially malicious characters into application fields.

Steps

  1. Validate user input on the server side
  2. Check the validity of the changeset before updating the user data

Secure Code Example

defmodule MyApp.UserController do
  use MyApp.Web, :controller

  def update(conn, params) do
    user = MyApp.Repo.get!(User, params["id"])
    
    changeset = User.changeset(user, params)
    
    if changeset.valid? do
      user = MyApp.Repo.update!(changeset)
      send_resp(conn, 200, "User data updated successfully")
    else
      send_resp(conn, 400, "Invalid data")
    end
  end
end

The secure Elixir code checks the validity of the changeset before updating the user data. This prevents the injection of potentially malicious characters into application fields.

References

  • 204 - Insufficient data authenticity validation

    • Last updated

    2023/09/18