Skip to main content

Insecure functionality


Secure functionality implementation


  • Usage of Dart 2.0 for building high-performance, cross-platform applications
  • Usage of Shelf for managing and organizing data in a Node.js application


Non compliant code

import 'package:shelf/shelf.dart' as shelf;

void main() {
var handler = const shelf.Pipeline()

shelf.serve(handler, 'localhost', 8080);

shelf.Response _echoRequest(shelf.Request request) {
return shelf.Response.ok('Request for "${request.url}"');

The above code is a basic server using the Shelf framework in Dart. Shelf is a middleware system for Dart servers, similar to Node's Express or Python's WSGI.

The server listens on localhost:8080 and responds to any requests by echoing the request url back to the client.

However, this code is insecure for a couple of reasons:

  1. No Input Validation: The server blindly accepts any request and echoes the URL back to the client. This could potentially lead to Cross-Site Scripting (XSS) attacks if the echoed URL is rendered in a client-side application without proper escaping. An attacker could send a malicious URL that includes script tags, which could then be executed on the client side.

  2. Lack of Authentication and Authorization: The server does not check who is making the request and whether they have permission to perform the requested operation. This could lead to unauthorized access to sensitive information or functions.

  3. No Rate Limiting: The server does not limit the number of requests a client can make in a certain time frame. This makes it vulnerable to Denial of Service (DoS) attacks, where an attacker could overwhelm the server with a large number of requests, causing it to become unresponsive or crash.

  4. No HTTPS: The server is not using HTTPS, which means that data is sent in plain text over the network. This could potentially expose sensitive information to anyone who is able to intercept the network traffic.


  • Validate and sanitize all incoming requests to prevent injection attacks.
  • Implement authentication and authorization to restrict access to sensitive functionality.
  • Use HTTPS instead of HTTP to encrypt communication and protect data integrity.
  • Limit the rate of requests to prevent denial-of-service attacks.
  • Log and monitor all activities to detect and respond to suspicious behavior.

Compliant code

import 'dart:async';
import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf_auth/shelf_auth.dart';
import 'package:shelf/shelf_io.dart' as io;
import 'package:shelf_rate_limiter/shelf_rate_limiter.dart';

void main() {
var handler = const shelf.Pipeline()
.addMiddleware(rateLimiter(maxOperationsPerPeriod: 100, period: const Duration(minutes: 1)))
.addMiddleware(authenticate([new JwtAuthMiddleware('secret')]))

io.serve(handler, 'localhost', 8080, shared: true).then((server) {
print('Serving at http://${}:${server.port}');

shelf.Response _sanitizeRequest(shelf.Request request) {
// Add your sanitization logic here
return request;

shelf.Response _echoRequest(shelf.Request request) {
return shelf.Response.ok('Request for "${request.url}"');

The updated code includes several security measures to mitigate the insecure functionality vulnerability:

  1. Request Sanitization: The _sanitizeRequest middleware is added to sanitize all incoming requests. This function should contain your sanitization logic to prevent injection attacks.

  2. Rate Limiting: The rateLimiter middleware is added to limit the rate of requests. This can help prevent denial-of-service attacks. The current settings allow a maximum of 100 requests per minute.

  3. Authentication: The authenticate middleware is added to implement authentication. This restricts access to sensitive functionality. The current settings use JWT for authentication.

  4. HTTPS: The io.serve function is used with the shared parameter set to true to allow for HTTPS connections. This encrypts communication and protects data integrity.

  5. Logging: The shelf.logRequests() middleware is used to log all requests. This can help detect and respond to suspicious behavior.

Remember to replace 'secret' with your actual secret for JWT authentication and to implement your sanitization logic in the _sanitizeRequest function.