Hidden fields manipulation
Need
Protection against hidden fields manipulation
Context
• Usage of PHP 7.0 for server-side scripting and web development
• Usage of Request for making HTTP requests
• Usage of the User dependency for user-related functionality
Description
1. Non compliant code
public function update(Request $request, $id)
{
    $user = User::find($id);
    $user->name = $request->input('name');
    $user->email = $request->input('email');
    $user->role = $request->input('role'); // Hidden field
    $user->save();
}...The above code is a typical Laravel controller method for updating a user's information. The method retrieves a user's data from the database using an ID passed in the URL, then updates the user's fields with data from the request. The vulnerability lies in this line: `$user->role = $request->input('role');`. The 'role' field is a hidden field that should not be editable by users. However, if a malicious user is able to manipulate the HTTP request and include a 'role' parameter, they can change their own role or the role of other users. This could potentially grant them administrative access, or otherwise disrupt the normal operation of the application. In this case, the 'role' field is directly exposed to any request that comes in, without any validation or authorization checks. This means that any user, regardless of their permissions, can potentially modify the 'role' field of any user in the database.
2. Steps
• Validate the user's permissions before allowing them to update certain fields. Only users with the appropriate permissions should be able to update the 'role' field.
• Remove the 'role' field from the request input and handle it separately. This way, it cannot be manipulated through the request.
• Implement server-side validation to ensure that the 'role' field cannot be updated unless the user has the appropriate permissions.
• Consider using a different method to update user roles, such as a separate function or endpoint that is only accessible to users with the appropriate permissions.
3. Secure code example
public function update(Request $request, $id)
{
    $user = User::find($id);
    $user->name = $request->input('name');
    $user->email = $request->input('email');
    
    // Check if the authenticated user has the permission to update the role
        $user->role = $request->input('role'); // Hidden field...The updated code now includes a check to see if the authenticated user has the permission to update the 'role' field. This is done using Laravel's built-in authorization system, which allows you to define abilities (permissions) for different actions. In this case, we're checking if the authenticated user has the 'update-role' ability before allowing them to update the 'role' field. This prevents unauthorized users from being able to manipulate the 'role' field through the request, as they won't have the necessary permissions to do so. This is a much more secure way of handling sensitive fields like 'role', as it ensures that only users with the appropriate permissions can update them. In addition, it's also a good idea to consider using a separate function or endpoint for updating user roles, which would only be accessible to users with the appropriate permissions. This would provide an additional layer of security and further reduce the risk of unauthorized role updates.
References
• 093. Hidden fields manipulation