Lack of data validation - Emails - Dart

Lack of data validation - Emails - Dart

Need

Implementation of email validation and filtering to prevent the use of disposable mailboxes

Context

  • Usage of Dart for building cross-platform applications
  • Usage of Shelf for managing and organizing data in a Node.js application
  • Usage of shelf_router for routing and handling HTTP requests in a Shelf application

Description

Non compliant code

        import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf_router/shelf_router.dart';

class UserController {
  final Router _router = Router();

  UserController() {
    _router.post('/register', _registerUser);
  }

  shelf.Response _registerUser(shelf.Request request) {
    var email = request.headers['email'];
    // No validation if email is from disposable mailbox
    // Code to register user
  }

  Router get router => _router;
}
        
        

In the code snippet above, we have a UserController class that handles the user registration process. The _registerUser method accepts a POST request on the '/register' endpoint and retrieves the email from the request headers.

The vulnerability lies in the fact that there is no validation to check if the email provided by the user is from a disposable mailbox or not. This could lead to potential misuse of the application as users could register with temporary emails, perform malicious activities, and then discard the email address, making it hard to trace back the user.

This lack of data validation is a security risk and needs to be addressed by adding appropriate checks to ensure that the email is not from a disposable email service.

Steps

  • Create a list of disposable email providers. This list should include domains like 'yopmail.com'.
  • Before registering the user, check if the email's domain is in the list of disposable email providers.
  • If the email's domain is in the list, reject the registration request and return an error message to the user.
  • Consider using a third-party service or library that maintains a list of disposable email providers and can perform this check for you.
  • Regularly update your list of disposable email providers to ensure it remains effective.

Compliant code

        import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf_router/shelf_router.dart';

class UserController {
  final Router _router = Router();
  final List disposableEmailProviders = ['yopmail.com', 'tempmail.com', '10minutemail.com'];

  UserController() {
    _router.post('/register', _registerUser);
  }

  shelf.Response _registerUser(shelf.Request request) {
    var email = request.headers['email'];
    var emailDomain = email.split('@').last;

    if (disposableEmailProviders.contains(emailDomain)) {
      return shelf.Response.forbidden('Registration with disposable email addresses is not allowed.');
    }

    // Code to register user
  }

  Router get router => _router;
}
        
        

The updated code now includes a list of disposable email providers. This list currently includes 'yopmail.com', 'tempmail.com', and '10minutemail.com', but it can be expanded as needed.

In the _registerUser method, the code now splits the email address at the '@' symbol and takes the last part, which is the domain of the email address. It then checks if this domain is in the list of disposable email providers.

If the email's domain is in the list, the method returns a shelf.Response.forbidden with a message indicating that registration with disposable email addresses is not allowed. This prevents users from registering with disposable email addresses.

If the email's domain is not in the list, the method proceeds with the user registration process as before.

This solution helps to prevent users from registering with disposable email addresses, which can be a security risk. However, it's important to regularly update the list of disposable email providers to ensure it remains effective. You might also consider using a third-party service or library that maintains a list of disposable email providers and can perform this check for you.

References