Need

To prevent potential security vulnerabilities due to trusting and mixing untrusted data in the same data structure or structured message.

Context

• Usage of Elixir for building scalable and fault-tolerant applications
• Usage of Elixir for building scalable and fault-tolerant applications
• Usage of user-provided data without validation

Description

Non compliant code

        defmodule VulnerableApp do
  def handle_request(params) do
    {:ok, message} = build_message(params)
    send_message(message)
  end

  defp build_message(params) do
    {:ok, "Hello #{params[:name]}, your account balance is #{params[:balance]}"}
  end
end
        
        

This Elixir code directly includes user-provided data in a structured message without any validation or sanitization. An attacker can potentially manipulate the message to introduce malicious payloads.

Steps

• Validate user-provided data before including it in structured messages or data structures.
• Sanitize user-provided data to remove any potentially malicious payloads.
• Consider using parameterized queries or prepared statements for database operations to prevent SQL Injection attacks.

Compliant code

        defmodule SecureApp do
  def handle_request(params) do
    sanitized_params = sanitize(params)
    case validate(sanitized_params) do
      :ok -> {:ok, message} = build_message(sanitized_params)
               send_message(message)
      {:error, reason} -> {:error, reason}
    end
  end

  defp build_message(params) do
    {:ok, "Hello #{params[:name]}, your account balance is #{params[:balance]}"}
  end
end
        
        

This Elixir code validates and sanitizes user-provided data before including it in a structured message, thereby preventing potential injection attacks.

References

• 089. Lack of data validation - Trust boundary violation