Lack of data validation - Out of range - Scala

Lack of data validation - Out of range - Scala

Need

Implementation of proper input validation and range checking

Context

  • Usage of Scala for building scalable and functional applications
  • Usage of play.api.mvc for handling HTTP requests and building web applications in the Play framework

Description

Non compliant code

        import play.api.mvc._

object EmployeeManagementController extends Controller {
  def manageEmployee = Action {
    Ok("Employee Management Page")
  }
}

object Application extends Controller {
  val restrictedDomains = List("restricted.com", "blocked.com")

  def index = Action { request =>
    request.session.get("user") match {
      case Some(user) =>
        if (restrictedDomains.contains(user)) {
          Ok("Restricted Page")
        } else {
          Redirect(routes.EmployeeManagementController.manageEmployee())
        }
      case None => Unauthorized("Oops, you are not connected")
    }
  }
}
        
        

In the provided code snippet, the application is using the Play Framework for Scala. The EmployeeManagementController object has a single action manageEmployee that simply returns a string "Employee Management Page".

The Application object has a restrictedDomains list that contains domains from which users are restricted to access certain functionalities such as Employee Management.

In the index action of the Application object, the application checks if the user is authenticated by checking if the "user" session variable is set. If the user is authenticated, the application checks if the user's domain is in the list of restrictedDomains. If it is, the application returns a "Restricted Page". If it is not, the application redirects the user to the manageEmployee action of the EmployeeManagementController.

The vulnerability here is that the application does not validate the path that the user is trying to access. An authenticated user from a restricted domain can bypass the domain restrictions by using the absolute path to the manageEmployee action. This means that even though the user's domain is restricted, they can still access the manageEmployee action by directly using its absolute path.

Steps

  • Implement input validation to ensure that the 'user' session value is within the expected range.
  • Use a whitelist approach to validate the 'user' session value against a list of allowed domains.
  • If the 'user' session value is not within the allowed domains, handle the request accordingly (e.g., show an error message or redirect to a different page).

Compliant code

        import play.api.mvc._

object EmployeeManagementController extends Controller {
  def manageEmployee = Action {
    Ok("Employee Management Page")
  }
}

object Application extends Controller {
  val restrictedDomains = List("restricted.com", "blocked.com")
  val allowedDomains = List("allowed1.com", "allowed2.com") // Add a list of allowed domains

  def index = Action { request =>
    request.session.get("user") match {
      case Some(user) =>
        if (restrictedDomains.contains(user)) {
          Ok("Restricted Page")
        } else if (allowedDomains.contains(user)) { // Check if the user domain is in the allowed list
          Redirect(routes.EmployeeManagementController.manageEmployee())
        } else {
          Unauthorized("Oops, you are not connected or your domain is not allowed") // Handle the case when the user domain is not in the allowed list
        }
      case None => Unauthorized("Oops, you are not connected")
    }
  }
}
        
        

The original code had a vulnerability where an authenticated user in a domain that restricts certain functionalities such as Employee Management, could bypass the restrictions by using absolute paths to these functionalities. This was due to a lack of data validation for the 'user' session value.

The fixed code introduces input validation to ensure that the 'user' session value is within the expected range. This is done by using a whitelist approach to validate the 'user' session value against a list of allowed domains. If the 'user' session value is not within the allowed domains, the request is handled accordingly by showing an error message or redirecting to a different page.

In the fixed code, a list of allowed domains is added. When a request is received, the 'user' session value is checked against this list. If the 'user' session value is in the allowed list, the user is redirected to the Employee Management page. If the 'user' session value is not in the allowed list, an error message is shown indicating that the user is not connected or their domain is not allowed. This ensures that only users from allowed domains can access the Employee Management functionality, thereby fixing the vulnerability.

References