Insufficient data authenticity validation

Need

To prevent injection of potentially malicious characters into application fields

Context

• Usage of Elixir (version 1.12 and above) for building scalable and fault-tolerant applications

• Usage of Ecto.Repo for interacting with databases

Description

1. Non compliant code

defmodule MyApp.UserController do
  use MyApp.Web, :controller

  def update(conn, params) do
    user = MyApp.Repo.get!(User, params["id"])
    user = MyApp.Repo.update!(User.changeset(user, params))

  end...

The Elixir code allows a user to update their data without performing any server-side validation or checks on the user input, which could lead to injection of potentially malicious characters into application fields.

2. Steps

• Validate user input on the server side

• Check the validity of the changeset before updating the user data

3. Secure code example

defmodule MyApp.UserController do
  use MyApp.Web, :controller

  def update(conn, params) do
    user = MyApp.Repo.get!(User, params["id"])
    
    changeset = User.changeset(user, params)
    if changeset.valid? do...

The secure Elixir code checks the validity of the changeset before updating the user data. This prevents the injection of potentially malicious characters into application fields.

References

• 204. Insufficient data authenticity validation

On this page