Need

Enforcement of proper security controls for data creation

Context

• Usage of Dart for building cross-platform mobile, web, and desktop applications
• Usage of Shelf for managing and organizing data in Node.js

Description

Non compliant code

        import 'package:shelf/shelf.dart' as shelf;

class Policy {
  List beneficiaries = [];

  void addBeneficiary(String beneficiary) {
    beneficiaries.add(beneficiary);
  }
}

shelf.Response handleRequest(shelf.Request request) {
  var policy = Policy();

  var beneficiaries = request.url.queryParametersAll['beneficiaries'];
  for (var beneficiary in beneficiaries) {
    policy.addBeneficiary(beneficiary);
  }

  // ... rest of the code
}
        
        

The above code is a simplified representation of the vulnerability. Here, we are using the shelf framework to handle HTTP requests in a Dart backend application.

In the Policy class, we have a list of beneficiaries. The addBeneficiary method is used to add a beneficiary to this list.

In the handleRequest function, we are creating a new Policy object and adding beneficiaries from the request parameters to it. The vulnerability lies in the fact that there is no restriction on the number of beneficiaries that can be added to a policy. This allows a user to bypass the intended limit of four beneficiaries and add as many as they want.

This vulnerability affects the integrity of the data sent because it allows the creation of policies with an arbitrary number of beneficiaries. This could lead to unexpected behavior in other parts of the application that assume a maximum of four beneficiaries per policy.

Steps

• Add a check in the 'addBeneficiary' method to ensure that the number of beneficiaries does not exceed four.
• If the number of beneficiaries is already four, the method should not add any more beneficiaries and should return an error message.
• This check should be done before adding a new beneficiary to the list.
• In the 'handleRequest' method, handle the error message returned by the 'addBeneficiary' method and send an appropriate response to the client.

Compliant code

        import 'package:shelf/shelf.dart' as shelf;

class Policy {
  List beneficiaries = [];

  String addBeneficiary(String beneficiary) {
    if (beneficiaries.length >= 4) {
      return 'Error: Maximum number of beneficiaries is 4';
    }
    beneficiaries.add(beneficiary);
    return 'Beneficiary added successfully';
  }
}

shelf.Response handleRequest(shelf.Request request) {
  var policy = Policy();

  var beneficiaries = request.url.queryParametersAll['beneficiaries'];
  for (var beneficiary in beneficiaries) {
    String result = policy.addBeneficiary(beneficiary);
    if (result.startsWith('Error')) {
      return shelf.Response(400, body: result);
    }
  }

  // ... rest of the code
}
        
        

The code above fixes the vulnerability by adding a check in the addBeneficiary method of the Policy class. This check ensures that the number of beneficiaries does not exceed four. If the number of beneficiaries is already four, the method does not add any more beneficiaries and instead returns an error message.

This check is done before a new beneficiary is added to the list. If the addBeneficiary method returns an error message, the handleRequest method handles this by returning a shelf.Response with a status code of 400 (Bad Request) and the error message as the body. This informs the client that their request to add another beneficiary was unsuccessful because the maximum number of beneficiaries has already been reached.

References

• 305. Security controls bypass or absence - Data creation