Lack of data validation - Trust boundary violation
Need
Enforcement of strict data validation and separation of trusted and untrusted data
Context
- Usage of Node.js v14.0.0 for server-side JavaScript development
- Usage of Express for building web applications and APIs
Description
Non compliant code
import express from 'express';
const app = express();
app.post('/api/data', (req, res) => {
const { trustedData, untrustedData } = req.body;
const data = {
trustedData,
untrustedData
};
// Process the data...
res.sendStatus(200);
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The vulnerability in this code is a lack of data validation, specifically a trust boundary violation. The code receives data from the client's request body, which includes both trustedData and untrustedData. The problem lies in the fact that both trusted and untrusted data are mixed together in the same data structure, without any validation or differentiation.
This can lead to potential security issues because untrusted data can contain malicious content or unexpected input. By mixing trusted and untrusted data in the same structure, the code may inadvertently introduce untrusted data into critical data structures or structured messages, which can result in various types of injections.
In this case, the recommendation to prevent this vulnerability is to avoid using untrusted data in critical data structures or structured messages. This means that the code should validate and sanitize the untrusted data separately before incorporating it into any critical data structures or messages.
Steps
- Separate trusted and untrusted data into different data structures or structured messages.
- Perform data validation and sanitization on the untrusted data before using it.
- Consider using a validation library or framework to simplify the data validation process.
- Implement input validation and filtering techniques to prevent common types of injections, such as SQL injection or XSS.
- Educate developers on the importance of data validation and the potential risks of mixing trusted and untrusted data.
Compliant code
import express from 'express';
import { validate } from 'some-validation-library'; // replace with the actual validation library
const app = express();
app.post('/api/data', (req, res) => {
const { trustedData, untrustedData } = req.body;
const validatedUntrustedData = validate(untrustedData); // perform data validation
const data = {
trustedData,
untrustedData: validatedUntrustedData
};
// Process the data...
res.sendStatus(200);
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
In the fixed code, we have made changes to address the vulnerability of lack of data validation and trust boundary violation. Here's an explanation of the changes made:
-
We import the necessary modules, including the
expressframework and a validation library (replacesome-validation-librarywith the actual library you are using for data validation). -
We create an instance of the
expressapplication. -
We define a route for handling POST requests to '/api/data'. This route expects the request body to contain two properties:
trustedDataanduntrustedData. -
Inside the route handler, we perform data validation on the
untrustedDatausing thevalidatefunction from the validation library. This step ensures that only valid data is used. -
We create a new object called
datathat contains both thetrustedDataand the validateduntrustedData. -
We can now process the
dataobject as needed. This step ensures that the untrusted data is separated from the trusted data and can be handled appropriately. -
Finally, we send a response with a status code of 200 to indicate a successful request.
-
The server listens on port 3000, and a message is logged to the console to indicate that the server is running.
By performing data validation on the untrusted data and separating it from the trusted data, we ensure that only validated data is used in critical data structures or structured messages, addressing the vulnerability.