Insufficient data authenticity validation
Need
To prevent injection of potentially malicious characters into application fields
Context
- Usage of Elixir (version 1.12 and above) for building scalable and fault-tolerant applications
- Usage of Ecto.Repo for interacting with databases
Description
Non compliant code
defmodule MyApp.UserController do
use MyApp.Web, :controller
def update(conn, params) do
user = MyApp.Repo.get!(User, params["id"])
user = MyApp.Repo.update!(User.changeset(user, params))
send_resp(conn, 200, "User data updated successfully")
end
end
The Elixir code allows a user to update their data without performing any server-side validation or checks on the user input, which could lead to injection of potentially malicious characters into application fields.
Steps
- Validate user input on the server side
- Check the validity of the changeset before updating the user data
Compliant code
defmodule MyApp.UserController do
use MyApp.Web, :controller
def update(conn, params) do
user = MyApp.Repo.get!(User, params["id"])
changeset = User.changeset(user, params)
if changeset.valid? do
user = MyApp.Repo.update!(changeset)
send_resp(conn, 200, "User data updated successfully")
else
send_resp(conn, 400, "Invalid data")
end
end
end
The secure Elixir code checks the validity of the changeset before updating the user data. This prevents the injection of potentially malicious characters into application fields.