Lack of data validation - Dates - Dart

Lack of data validation - Dates - Dart

Need

Implementation of robust data validation for dates

Context

  • Usage of Dart for building cross-platform mobile, web, and desktop applications
  • Usage of Shelf for managing data models and database interactions

Description

Non compliant code

        import 'package:shelf/shelf.dart' as shelf;

class DateController {
  Future updateDate(shelf.Request request) async {
    var updatedDate = await request.readAsString();
    // Vulnerability: The server does not validate the date format and processes the request as valid
    // TODO: Add server-side validation
    return shelf.Response.ok('Date updated to: $updatedDate');
  }
}
        
        

The above code represents a Dart server-side application using the Shelf framework. This code is vulnerable due to the lack of data validation on the server side. Specifically, it does not validate the date format that is being updated.

In the updateDate function, the server reads the updated date from the request and directly uses it without any validation. Although the front end may have restrictions and validations, those can be bypassed and the server will still process the requests as valid. This can lead to various issues including but not limited to incorrect data being stored, potential security risks, and unexpected application behavior.

Steps

  • Import a date parsing and validation library, such as 'intl' in Dart.
  • Create a function to validate the date format. This function should take the date string as input and use the date parsing function from the library to attempt to parse it.
  • In the function, catch any exceptions thrown by the date parsing function. If an exception is thrown, the date format is invalid, so return a validation error.
  • In the 'updateDate' method, before processing the request, call the date validation function with the 'updatedDate' as argument.
  • If the date validation function returns an error, return a response with an appropriate error message and status code, such as 400 for 'Bad Request'.
  • If the date validation function does not return an error, proceed with processing the request as before.

Compliant code

        import 'package:shelf/shelf.dart' as shelf;
import 'package:intl/intl.dart';

class DateController {
  Future updateDate(shelf.Request request) async {
    var updatedDate = await request.readAsString();

    // Validate the date format
    var validationResult = validateDateFormat(updatedDate);
    if (validationResult != null) {
      return shelf.Response(400, body: validationResult);
    }

    return shelf.Response.ok('Date updated to: $updatedDate');
  }

  String validateDateFormat(String date) {
    try {
      DateFormat('yyyy-MM-dd').parseStrict(date);
    } catch (e) {
      return 'Invalid date format. Expected format is yyyy-MM-dd';
    }
    return null;
  }
}
        
        

The updated code now includes a function validateDateFormat that validates the date format. This function uses the DateFormat class from the intl package to parse the date string. The parseStrict method is used to ensure that the date string strictly adheres to the specified format 'yyyy-MM-dd'. If the date string does not match this format, an exception is thrown, which is caught and handled by returning an error message.

In the updateDate method, before processing the request, the validateDateFormat function is called with the updatedDate as argument. If the date format is invalid, the function returns an error message, which is then used to create a response with a 400 status code (Bad Request) and the error message as the body. If the date format is valid, the function returns null, and the request is processed as before.

This way, the server now validates the date format and does not process requests with invalid dates, thus fixing the vulnerability.

References