Need

Prevent unauthorized changes to product data by validating permissions and data before processing requests

Context

• Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
• Usage of Phoenix Framework for request handling

Description

Non compliant code

        defmodule MyAppWeb.ProductController do
  use MyAppWeb, :controller

  def update(conn, params) do
    # No permissions or date validation
    MyApp.update_product(params)
    send_resp(conn, 200, "Product updated")
  end
end
        
        

This code is vulnerable because it doesn't validate the permissions or the dates in 'params' before updating the product. An attacker can ignore frontend restrictions and send a request that the server processes as valid, potentially causing data integrity and availability issues.

Steps

• Add a function to check if the current user has permission to modify the product.
• Add another function to validate the dates in 'params' before updating the product.
• Before calling 'MyApp.update_product', call these two functions. If either check fails, return an error response.

Compliant code

        defmodule MyAppWeb.ProductController do
  use MyAppWeb, :controller

  def update(conn, params) do
    if MyApp.check_permissions(conn) && validate_dates(params) do
      MyApp.update_product(params)
      send_resp(conn, 200, "Product updated")
    else
      send_resp(conn, 403, "Invalid request")
    end
  end

  defp validate_dates(params) do
    # Implement your date validation logic here
  end
end
        
        

This code is safe because it checks permissions and validates dates before updating the product. If the request fails these checks, it returns an error response instead of processing an invalid or unauthorized request.

References

• 196. Lack of data validation - Dates