Lack of data validation - Trust boundary violation

Need

To prevent potential security vulnerabilities due to trusting and mixing untrusted data in the same data structure or structured message.

Context

Usage of Elixir for building scalable and fault-tolerant applications
Usage of Elixir for building scalable and fault-tolerant applications
Usage of user-provided data without validation

Description

Non compliant code

defmodule VulnerableApp do
  def handle_request(params) do
    {:ok, message} = build_message(params)
    send_message(message)
  end

  defp build_message(params) do
    {:ok, "Hello #{params[:name]}, your account balance is #{params[:balance]}"}
  end
end

This Elixir code directly includes user-provided data in a structured message without any validation or sanitization. An attacker can potentially manipulate the message to introduce malicious payloads.

Steps

Validate user-provided data before including it in structured messages or data structures.
Sanitize user-provided data to remove any potentially malicious payloads.
Consider using parameterized queries or prepared statements for database operations to prevent SQL Injection attacks.

Compliant code

defmodule SecureApp do
  def handle_request(params) do
    sanitized_params = sanitize(params)
    case validate(sanitized_params) do
      :ok -> {:ok, message} = build_message(sanitized_params)
               send_message(message)
      {:error, reason} -> {:error, reason}
    end
  end

  defp build_message(params) do
    {:ok, "Hello #{params[:name]}, your account balance is #{params[:balance]}"}
  end
end

This Elixir code validates and sanitizes user-provided data before including it in a structured message, thereby preventing potential injection attacks.

References

089.Lack of data validation - Trust boundary violation

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​