Insufficient data authenticity validation - Elixir

Need

To prevent injection of potentially malicious characters into application fields

Context

Usage of Elixir (version 1.12 and above) for building scalable and fault-tolerant applications
Usage of Ecto.Repo for interacting with databases

Description

Non compliant code

        defmodule MyApp.UserController do
  use MyApp.Web, :controller

  def update(conn, params) do
    user = MyApp.Repo.get!(User, params["id"])
    user = MyApp.Repo.update!(User.changeset(user, params))

    send_resp(conn, 200, "User data updated successfully")
  end
end

The Elixir code allows a user to update their data without performing any server-side validation or checks on the user input, which could lead to injection of potentially malicious characters into application fields.

Steps

Validate user input on the server side
Check the validity of the changeset before updating the user data

Compliant code

        defmodule MyApp.UserController do
  use MyApp.Web, :controller

  def update(conn, params) do
    user = MyApp.Repo.get!(User, params["id"])
    
    changeset = User.changeset(user, params)
    
    if changeset.valid? do
      user = MyApp.Repo.update!(changeset)
      send_resp(conn, 200, "User data updated successfully")
    else
      send_resp(conn, 400, "Invalid data")
    end
  end
end

The secure Elixir code checks the validity of the changeset before updating the user data. This prevents the injection of potentially malicious characters into application fields.

References

204. Insufficient data authenticity validation