Lack of data validation - Source Code - Ruby

Lack of data validation - Source Code - Ruby

Need

Implementation of robust data validation in the source code

Context

  • Usage of Ruby for building dynamic and object-oriented applications
  • Usage of ActiveRecord for Object-Relational Mapping (ORM) in database operations

Description

Non compliant code

        def search(params)
  query = params[:q]
  results = User.where("name REGEXP ?", query)
  return results
end

In the above code, we have a search method that takes in parameters, extracts the query from the parameters, and then uses that query in a regular expression to search for users by their name.

The vulnerability lies in the use of the REGEXP operator without any data validation on the query parameter. This means that an attacker could potentially send a specially crafted string as the query parameter that could cause a Denial of Service (DoS) attack by forcing the server to spend a large amount of time evaluating the regular expression. This is known as a Regular Expression Denial of Service (ReDoS) attack.

For instance, an attacker could send a string that includes several repeating characters followed by a single different character (e.g., aaaaaaaaaaaaax). If the regular expression used in the REGEXP operator is complex and has multiple nested quantifiers, evaluating this string could cause the server to hang or crash.

This is a dangerous vulnerability because it could allow an attacker to take down the server by simply sending a specific string of data.

Steps

  • Implement proper input validation to ensure that the 'query' parameter is safe to use.
  • Avoid using dangerous regular expressions that can be exploited by attackers.
  • Consider using a safer method to search for users, such as using a case-insensitive search or exact match search.
  • Sanitize the 'query' parameter to remove any potentially harmful characters or patterns.
  • Implement server-side rate limiting or throttling to prevent abuse of the search functionality.
  • Regularly update and patch the Ruby on Rails framework to benefit from security fixes and improvements.

Compliant code

        def search(params)
  query = params[:q]
  sanitized_query = ActiveRecord::Base.sanitize_sql_like(query)
  results = User.where("name LIKE ?", "%#{sanitized_query}%")
  return results
end

The updated code now includes a sanitization step for the 'query' parameter. This is done using the sanitize_sql_like method provided by the ActiveRecord::Base class in Ruby on Rails. This method escapes any special characters in the 'query' parameter, preventing the possibility of a Regular Expression Denial of Service (ReDoS) attack.

The REGEXP operator has been replaced with the LIKE operator, which performs a case-insensitive search. This is a safer alternative as it does not use regular expressions and therefore is not susceptible to ReDoS attacks.

The '%' characters are used as wildcards, allowing for partial matches. This means that the search functionality will return users whose names contain the 'query' string anywhere within them.

Remember to also implement server-side rate limiting or throttling to prevent abuse of the search functionality, and regularly update and patch the Ruby on Rails framework to benefit from security fixes and improvements.

References