Restricted fields manipulation - Ruby

Restricted fields manipulation - Ruby

Need

Prevention of unauthorized access and manipulation of restricted fields

Context

  • Usage of Ruby 2.7.0 for Ruby programming and development
  • Usage of Rails framework for building web applications

Description

Non compliant code

        class EmployeesController < ApplicationController
  def update
    @employee = Employee.find(params[:id])
    
    if @employee.update(employee_params)
      redirect_to @employee
    else
      render 'edit'
    end
  end
  
  private
    def employee_params
      params.require(:employee).permit(:name, :email, :dob, :address, :phone, :dni)
    end
end
        
        

In this code snippet, the update action in the EmployeesController is used to update the details of an employee. The employee to be updated is identified by the id parameter, which is passed in the URL of the request. The updated details are then passed as parameters in the body of the request.

The vulnerability lies in the line where the update method is called on the @employee object. This method updates the @employee object with the parameters passed in the request, which includes the DNI field. Since there are no checks in place to verify if the user making the request is authorized to update the details of the employee, an attacker can change the details of any employee by simply changing the id parameter in the URL and the parameters in the body of the request.

This can lead to a scenario where an attacker can update the details of employees from other companies, thereby leading to a restricted fields manipulation vulnerability. The attacker can also change the DNI to different values, which can replace the existing data. This can lead to the information of targeted employees, such as names, email addresses, dates of birth, addresses, telephone numbers, etc., being changed without their knowledge or consent.

Steps

  • Implement authentication and authorization mechanisms to ensure that only authorized users can access and modify employee data.
  • Validate the user's permissions before allowing them to update employee information.
  • Implement input validation to ensure that the provided data is valid and does not contain any malicious content.
  • Use a separate form or page for updating employee information to prevent unauthorized access to other employees' data.
  • Implement server-side validation to verify that the requested changes are valid and do not violate any business rules or constraints.
  • Consider implementing a multi-step confirmation process for updating sensitive employee information, such as DNI, to prevent unauthorized changes.
  • Regularly review and update the access control mechanisms to ensure that only authorized users have the necessary permissions to modify employee data.

Compliant code

        class EmployeesController < ApplicationController
  before_action :authenticate_user!
  before_action :set_employee, only: [:update]
  before_action :authorize_user, only: [:update]

  def update
    if @employee.update(employee_params)
      redirect_to @employee
    else
      render 'edit'
    end
  end
  
  private
    def set_employee
      @employee = Employee.find(params[:id])
    end

    def employee_params
      params.require(:employee).permit(:name, :email, :dob, :address, :phone, :dni)
    end

    def authenticate_user!
      # Implement your user authentication logic here
    end

    def authorize_user
      unless current_user.can_edit?(@employee)
        redirect_to root_path, alert: "You are not authorized to edit this employee's data"
      end
    end
end
        
        

The updated code includes several security measures to prevent unauthorized access and manipulation of employee data.

1. before_action :authenticate_user!
- This line ensures that a user is authenticated before they can access the update action. The authenticate_user! method should contain the logic for authenticating a user.

2. before_action :set_employee, only: [:update]
- This line sets the @employee instance variable for the update action. This is done to avoid repetition and to ensure that the employee exists before attempting to update their information.

3. before_action :authorize_user, only: [:update]
- This line ensures that the user is authorized to update the employee's information. The authorize_user method should contain the logic for checking if the current user has the necessary permissions to update the employee's information.

4. def authorize_user
- This method checks if the current user has the necessary permissions to edit the employee's data. If they do not, they are redirected to the root path with an alert message.

By implementing these measures, we can ensure that only authenticated and authorized users can update employee data, thus preventing unauthorized access and manipulation of data.

References