Skip to main content

Lack of data validation - Numbers

Need

Implementation of robust data validation for numbers

Context

  • Usage of Dart for building cross-platform mobile, web, and desktop applications
  • Usage of Shelf for managing and organizing data in a Node.js application

Description

Non compliant code

import 'package:shelf/shelf.dart' as shelf;

shelf.Response handleRequest(shelf.Request request) {
  var number = request.url.queryParameters['number'];

  // Perform some business logic with the number
  // ...

  return shelf.Response.ok('Success');
}

In the above code, we are taking a request parameter 'number' directly from the request without any kind of validation. This can lead to several potential issues:

  1. Type Issues: The 'number' parameter is expected to be a number. However, since there is no validation, a user can provide any type of data, such as a string or boolean. This can lead to runtime errors if the business logic assumes that the input is a number.

  2. Range Issues: Even if the user provides a number, there might be some constraints on the acceptable range of the number based on the business logic. For example, if the number represents an age, it should be a positive integer. However, the current code does not enforce any such constraints.

  3. Security Issues: Lack of input validation is a common security vulnerability. An attacker can provide malicious input to exploit potential security flaws in the business logic.

In order to fix this vulnerability, we need to add proper data validation for the 'number' parameter. The validation rules should be based on the specific requirements of the business logic.

Steps

  • First, you should validate the 'number' parameter to ensure it is indeed a number. This can be done using a regular expression or a built-in function to check if a string is a number.
  • Second, you should handle the case where 'number' is not a number. This could be returning an error response, or ignoring the invalid input.
  • Third, consider limiting the range of valid numbers. If your business logic only makes sense for certain ranges of numbers, make sure to enforce this in your validation.
  • Lastly, always sanitize the input data before using it in your business logic to prevent any kind of injection attacks.

Compliant code

import 'package:shelf/shelf.dart' as shelf;

shelf.Response handleRequest(shelf.Request request) {
  var number = request.url.queryParameters['number'];

  // Validate the 'number' parameter
  if (number == null || !isNumeric(number)) {
    return shelf.Response(400, body: 'Invalid number parameter');
  }

  // Perform some business logic with the number
  // ...

  return shelf.Response.ok('Success');
}

bool isNumeric(String s) {
  if(s == null) {
    return false;
  }
  return double.tryParse(s) != null;
}

The updated code includes a validation check for the 'number' parameter. The isNumeric function is used to check if the 'number' parameter is indeed a number. This function tries to parse the string to a double and if it fails (returns null), it means the string is not a number.

If the 'number' parameter is null or not a number, the function returns a 400 response with the message 'Invalid number parameter'. This informs the client that the request was not properly formatted.

This validation check ensures that the business logic is only executed when the 'number' parameter is a valid number, preventing potential issues that could arise from handling invalid data.

Remember, it's always important to validate and sanitize input data before using it in your application to prevent any kind of injection attacks or other security vulnerabilities.

References

Last updated on