logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Lack of data validation - Out of range - Scala

Need

Implementation of proper input validation and range checking

Context

  1. Usage of Scala for building scalable and functional applications
  2. Usage of play.api.mvc for handling HTTP requests and building web applications in the Play framework

Description

Insecure Code Example

import play.api.mvc._

object EmployeeManagementController extends Controller {
  def manageEmployee = Action {
    Ok("Employee Management Page")
  }
}

object Application extends Controller {
  val restrictedDomains = List("restricted.com", "blocked.com")

  def index = Action { request =>
    request.session.get("user") match {
      case Some(user) =>
        if (restrictedDomains.contains(user)) {
          Ok("Restricted Page")
        } else {
          Redirect(routes.EmployeeManagementController.manageEmployee())
        }
      case None => Unauthorized("Oops, you are not connected")
    }
  }
}

In the provided code snippet, the application is using the Play Framework for Scala. The `EmployeeManagementController` object has a single action `manageEmployee` that simply returns a string "Employee Management Page". The `Application` object has a `restrictedDomains` list that contains domains from which users are restricted to access certain functionalities such as Employee Management. In the `index` action of the `Application` object, the application checks if the user is authenticated by checking if the "user" session variable is set. If the user is authenticated, the application checks if the user's domain is in the list of `restrictedDomains`. If it is, the application returns a "Restricted Page". If it is not, the application redirects the user to the `manageEmployee` action of the `EmployeeManagementController`. The vulnerability here is that the application does not validate the path that the user is trying to access. An authenticated user from a restricted domain can bypass the domain restrictions by using the absolute path to the `manageEmployee` action. This means that even though the user's domain is restricted, they can still access the `manageEmployee` action by directly using its absolute path.

Steps

  1. Implement input validation to ensure that the 'user' session value is within the expected range.
  2. Use a whitelist approach to validate the 'user' session value against a list of allowed domains.
  3. If the 'user' session value is not within the allowed domains, handle the request accordingly (e.g., show an error message or redirect to a different page).

Secure Code Example

import play.api.mvc._

object EmployeeManagementController extends Controller {
  def manageEmployee = Action {
    Ok("Employee Management Page")
  }
}

object Application extends Controller {
  val restrictedDomains = List("restricted.com", "blocked.com")
  val allowedDomains = List("allowed1.com", "allowed2.com") // Add a list of allowed domains

  def index = Action { request =>
    request.session.get("user") match {
      case Some(user) =>
        if (restrictedDomains.contains(user)) {
          Ok("Restricted Page")
        } else if (allowedDomains.contains(user)) { // Check if the user domain is in the allowed list
          Redirect(routes.EmployeeManagementController.manageEmployee())
        } else {
          Unauthorized("Oops, you are not connected or your domain is not allowed") // Handle the case when the user domain is not in the allowed list
        }
      case None => Unauthorized("Oops, you are not connected")
    }
  }
}

The original code had a vulnerability where an authenticated user in a domain that restricts certain functionalities such as Employee Management, could bypass the restrictions by using absolute paths to these functionalities. This was due to a lack of data validation for the 'user' session value. The fixed code introduces input validation to ensure that the 'user' session value is within the expected range. This is done by using a whitelist approach to validate the 'user' session value against a list of allowed domains. If the 'user' session value is not within the allowed domains, the request is handled accordingly by showing an error message or redirecting to a different page. In the fixed code, a list of allowed domains is added. When a request is received, the 'user' session value is checked against this list. If the 'user' session value is in the allowed list, the user is redirected to the Employee Management page. If the 'user' session value is not in the allowed list, an error message is shown indicating that the user is not connected or their domain is not allowed. This ensures that only users from allowed domains can access the Employee Management functionality, thereby fixing the vulnerability.

References

  • 198 - Lack of data validation - Out of range

    • Last updated

    2023/09/18