HTTP Parameter Pollution - Elixir

Need

Prevent unexpected behavior due to injection of extra HTTP parameters

Context

Usage of Elixir for building scalable and fault-tolerant applications
Usage of Plug Cowboy for building web applications in Elixir
Usage of HTTP parameter validation
Usage of input sanitization for protecting against malicious user input

Description

Non compliant code

        defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/" do
    send_resp(conn, 200, "Hello, #{conn.params["name"]}")
  end

  match _ do
    send_resp(conn, 404, "Oops, not found!")
  end
end

This Elixir code is vulnerable because it does not perform validation and sanitization on the incoming parameters. This allows injection of extra parameters which can cause unexpected behavior.

Steps

Validate the incoming parameters to ensure they are as expected.
Sanitize the parameters to remove any potential harmful data.

Compliant code

        defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/" do
    name = Map.get(conn.params, "name", "")
    name = String.replace(name, "<>", "")
    send_resp(conn, 200, "Hello, #{name}")
  end

  match _ do
    send_resp(conn, 404, "Oops, not found!")
  end
end

This Elixir code is safe because it includes validation and sanitization of incoming parameters. It checks that the 'name' parameter exists and removes any potential harmful data.

References

121. HTTP parameter pollution