Lack of data validation - Trust boundary violation
Need
To prevent potential security vulnerabilities due to trusting and mixing untrusted data in the same data structure or structured message.
Context
- Usage of Elixir for building scalable and fault-tolerant applications
- Usage of Elixir for building scalable and fault-tolerant applications
- Usage of user-provided data without validation
Description
Non compliant code
defmodule VulnerableApp do
def handle_request(params) do
{:ok, message} = build_message(params)
send_message(message)
end
defp build_message(params) do
{:ok, "Hello #{params[:name]}, your account balance is #{params[:balance]}"}
end
end
This Elixir code directly includes user-provided data in a structured message without any validation or sanitization. An attacker can potentially manipulate the message to introduce malicious payloads.
Steps
- Validate user-provided data before including it in structured messages or data structures.
- Sanitize user-provided data to remove any potentially malicious payloads.
- Consider using parameterized queries or prepared statements for database operations to prevent SQL Injection attacks.
Compliant code
defmodule SecureApp do
def handle_request(params) do
sanitized_params = sanitize(params)
case validate(sanitized_params) do
:ok -> {:ok, message} = build_message(sanitized_params)
send_message(message)
{:error, reason} -> {:error, reason}
end
end
defp build_message(params) do
{:ok, "Hello #{params[:name]}, your account balance is #{params[:balance]}"}
end
end
This Elixir code validates and sanitizes user-provided data before including it in a structured message, thereby preventing potential injection attacks.