Insufficient data authenticity validation - Front bypass - Ruby

Insufficient data authenticity validation - Front bypass - Ruby

Need

Enhancement of data authenticity validation to prevent front bypass

Context

  • Usage of Ruby 2.7.0 as the programming language for development
  • Usage of Rails framework for building web applications

Description

Non compliant code

        # app/controllers/users_controller.rb
class UsersController < ApplicationController
  def update
    @user = User.find(params[:id])
    if @user.update(user_params)
      redirect_to @user, notice: 'User was successfully updated.'
    else
      render :edit
    end
  end

  private

  def user_params
    params.require(:user).permit(:password)
  end
end
        
        

In the above code, the update action in the UsersController is used to update the user's password. The new password is taken directly from the parameters sent in the request ( params[:user][:password]) and is passed to the update method of the User model instance ( @user.update(user_params)).

The vulnerability here is that there is no server-side validation of the new password. The only checks being performed are on the client-side (front-end), which can easily be bypassed by a malicious user. This means that a user could potentially update their password to a value that does not comply with the system's password policy (e.g., consecutive and/or repeated numbers).

This is a serious issue as it can lead to weak passwords being used, which in turn can lead to unauthorized access and potential data breaches.

Steps

  • Move the password validation logic from the front-end to the back-end.
  • Add server-side validation to check if the password meets the required policies (e.g., not consecutive or repeated numbers).
  • Update the 'update' action in the UsersController to include the server-side password validation logic.
  • If the password does not meet the required policies, return an error response to the front-end.
  • Ensure that the error response is properly handled and displayed to the user on the front-end.
  • If the password meets the required policies, proceed with updating the user's password.
  • Consider implementing additional security measures such as password hashing and salting to protect user passwords.
  • Test the updated code to ensure that the password validation is working correctly.

Compliant code

        # app/models/user.rb
class User < ApplicationRecord
  validate :password_complexity

  def password_complexity
    if password.present? and not password.match(/^(?!.*(\\d)\\1{2}).*$/)
      errors.add :password, "Password complexity requirement not met. Please ensure your password does not contain consecutive or repeated numbers."
    end
  end
end

# app/controllers/users_controller.rb
class UsersController < ApplicationController
  def update
    @user = User.find(params[:id])
    if @user.update(user_params)
      redirect_to @user, notice: 'User was successfully updated.'
    else
      render :edit
    end
  end

  private

  def user_params
    params.require(:user).permit(:password)
  end
end
        
        

The updated code includes a server-side password validation logic in the User model. The password_complexity method checks if the password contains consecutive or repeated numbers. If the password does not meet this requirement, an error is added to the password field.

In the UsersController, the update action has been updated to include the server-side password validation logic. When a user attempts to update their password, the update action will first check if the new password meets the required policies. If the password does not meet the required policies, the update action will return an error response to the front-end, and the user will be redirected to the edit page. If the password meets the required policies, the user's password will be updated, and the user will be redirected to their user page with a success notice.

This update ensures that the password validation is done on the server-side, providing an additional layer of security to protect user passwords. It is also recommended to implement additional security measures such as password hashing and salting. After implementing these changes, make sure to test the updated code to ensure that the password validation is working correctly.

References