HTTP Parameter Pollution
Need
Prevent unexpected behavior due to injection of extra HTTP parameters
Context
- Usage of Elixir for building scalable and fault-tolerant applications
- Usage of Plug Cowboy for building web applications in Elixir
- Usage of HTTP parameter validation
- Usage of input sanitization for protecting against malicious user input
Description
Non compliant code
defmodule MyApp.Router do
use Plug.Router
plug :match
plug :dispatch
get "/" do
send_resp(conn, 200, "Hello, #{conn.params["name"]}")
end
match _ do
send_resp(conn, 404, "Oops, not found!")
end
end
This Elixir code is vulnerable because it does not perform validation and sanitization on the incoming parameters. This allows injection of extra parameters which can cause unexpected behavior.
Steps
- Validate the incoming parameters to ensure they are as expected.
- Sanitize the parameters to remove any potential harmful data.
Compliant code
defmodule MyApp.Router do
use Plug.Router
plug :match
plug :dispatch
get "/" do
name = Map.get(conn.params, "name", "")
name = String.replace(name, "<>", "")
send_resp(conn, 200, "Hello, #{name}")
end
match _ do
send_resp(conn, 404, "Oops, not found!")
end
end
This Elixir code is safe because it includes validation and sanitization of incoming parameters. It checks that the 'name' parameter exists and removes any potential harmful data.