Skip to main content

Insecure functionality - File Creation

Need

Enforce server-side validation and authorization for restricted functionality

Context

  • Usage of TypeScript for statically typed JavaScript development
  • Usage of Express for building web applications and handling HTTP requests

Description

Non compliant code

import express from 'express';

const app = express();

app.post('/createFile', (req, res) => {
  const { fileName, content } = req.body;

  // Insecure functionality - File Creation
  // Bypassing the front-end restriction
  // No server-side permission verification

  // Create file with fileName and content
  // ...

  res.status(200).json({ message: 'File created successfully' });
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});

The vulnerability in the given code is an insecure functionality related to file creation. The code allows an authenticated user to create a file by sending a POST request to the '/createFile' endpoint. However, the code does not perform any server-side permission verification to ensure that the user making the request has sufficient permissions to create the file.

Instead, the code relies on a front-end restriction, which disables the corresponding button for users with restricted profiles. However, this front-end restriction can be easily bypassed, allowing users with restricted profiles to send the request and create files.

This vulnerability can have a significant impact as it allows unauthorized users to access customer information on a massive scale. Without proper permission verification on the server-side, any authenticated user can exploit this vulnerability and create files, potentially compromising sensitive data.

To address this vulnerability, it is recommended to implement server-side permission verification. This means that before creating a file, the server should check the user's permissions and ensure that they have the necessary rights to perform the operation. By validating the user's permissions on the server-side, the code can prevent unauthorized file creation and protect customer information.

Steps

  • Remove the front-end restriction on the button for creating files
  • Implement server-side permission verification before creating the file
  • Verify that the authenticated user has sufficient permissions to create a file
  • If the user does not have sufficient permissions, return an appropriate error response
  • Only create the file if the user has sufficient permissions

Compliant code

import express from 'express';

const app = express();

app.post('/createFile', (req, res) => {
  const { fileName, content } = req.body;
  
  // Implement server-side permission verification
  if (!req.user.hasPermission('createFile')) {
    return res.status(403).json({ message: 'Insufficient permissions' });
  }

  // Create file with fileName and content
  // ...

  res.status(200).json({ message: 'File created successfully' });
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});

The fixed code addresses the vulnerability by implementing server-side permission verification before creating a file. Here's how the code works:

  1. The code imports the necessary modules, including Express, to create a server.

  2. The code initializes an Express application.

  3. The code defines a POST route at '/createFile' to handle file creation requests.

  4. Inside the route handler, the code extracts the 'fileName' and 'content' from the request body using destructuring assignment.

  5. The code then checks for the user's permission to create a file by calling the 'hasPermission' method on the 'req.user' object. This method is assumed to exist and should be implemented according to the specific authentication and authorization system in use.

  6. If the user does not have the 'createFile' permission, the code returns a 403 Forbidden status with a JSON response indicating insufficient permissions.

  7. If the user has the necessary permission, the code proceeds to create the file with the provided 'fileName' and 'content'. The actual file creation logic is not shown in the code snippet.

  8. Finally, the code sends a 200 OK status with a JSON response indicating that the file was created successfully.

  9. The code starts the server and listens on port 3000.

By performing permission verification on the server-side, the fixed code ensures that only users with the appropriate permissions can create files. This mitigates the vulnerability by preventing unauthorized access to customer information.

References

Last updated on