Skip to main content

Lack of data validation - URL

Need

Implementation of proper data validation and sanitization for URL parameters

Context

  • Usage of Go 1.16 for developing high-performance and efficient applications
  • Usage of gin-gonic/gin for building web applications in Go

Description

Non compliant code

package main

import (
	"fmt"
	"github.com/gin-gonic/gin"
)

func main() {
	r := gin.Default()

	r.GET("/documents", func(c *gin.Context) {
		date := c.Query("date") // date is a parameter in the URL
		// Here we should have a data validation for the 'date' parameter
		// But it's missing, so any user can pass any date to get the documents
		fmt.Printf("Documents sent on date: %s\\n", date)
	})

	r.Run()
}

In the above code, we have a GET endpoint '/documents' which accepts a 'date' parameter from the URL. The 'date' parameter is used to fetch the documents sent on that particular date.

The vulnerability lies in the fact that there is no validation for the 'date' parameter. Any user can pass any date to get the documents sent on that date. This can lead to information leakage as any user on the internet can obtain information on users who have sent their documents through the portal by sending the date as a parameter in the URL.

Without proper data validation, an attacker can manipulate the 'date' parameter to retrieve sensitive information. This is a classic case of a lack of data validation vulnerability.

To fix this vulnerability, we need to implement proper data validation for the 'date' parameter. We should ensure that the user is authorized to access the documents of the provided date.

Steps

  • Implement data validation for the 'date' parameter in the URL
  • Validate that the 'date' parameter is in the correct format
  • Check if the 'date' parameter is within an acceptable range
  • Handle invalid or out-of-range dates appropriately
  • Consider using a regular expression or a date parsing library to validate the 'date' parameter

Compliant code

package main

import (
	"fmt"
	"net/http"
	"time"
	"github.com/gin-gonic/gin"
)

func main() {
	r := gin.Default()

	r.GET("/documents", func(c *gin.Context) {
		date := c.Query("date") // date is a parameter in the URL

		// Validate that the 'date' parameter is in the correct format
		_, err := time.Parse("2006-01-02", date)
		if err != nil {
			c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid date format. Please use 'YYYY-MM-DD'"})
			return
		}

		// Check if the 'date' parameter is within an acceptable range
		t, _ := time.Parse("2006-01-02", date)
		if t.Before(time.Now().AddDate(-1, 0, 0)) || t.After(time.Now()) {
			c.JSON(http.StatusBadRequest, gin.H{"error": "Date is out of range. Please use a date within the last year"})
			return
		}

		fmt.Printf("Documents sent on date: %s\\n", date)
	})

	r.Run()
}

The updated code now includes data validation for the 'date' parameter in the URL.

Firstly, it checks if the 'date' parameter is in the correct format (YYYY-MM-DD) using the time.Parse function. If the date is not in the correct format, the server responds with a 400 Bad Request status and an error message indicating the correct format.

Secondly, it checks if the 'date' parameter is within an acceptable range (within the last year and not in the future). If the date is out of range, the server responds with a 400 Bad Request status and an error message indicating the acceptable date range.

By implementing these checks, we can prevent users from obtaining information on documents sent on any arbitrary date, thus fixing the vulnerability.

References

Last updated on