Restricted fields manipulation - Scala

Need

Prevention of unauthorized access and manipulation of restricted fields

Context

Usage of Scala 2.12 for writing scalable and functional code
Usage of play.api.mvc._ for handling HTTP requests and responses in Play Framework
Usage of play.api.libs.json for JSON parsing and manipulation in Play Framework

Description

Non compliant code

        import play.api.mvc._

def updateEmployee() = Action { implicit request =>
  val body: AnyContent = request.body
  val jsonBody: Option[JsValue] = body.asJson

  jsonBody.map { json =>
    val id = (json \\ "id").as[String]
    val name = (json \\ "name").as[String]
    val email = (json \\ "email").as[String]
    val dob = (json \\ "dob").as[String]
    val address = (json \\ "address").as[String]
    val phone = (json \\ "phone").as[String]
    
    Employee.update(id, name, email, dob, address, phone)
    Ok("Employee updated")
  }.getOrElse {
    BadRequest("Expecting application/json request body")
  }
}

In the above code, we have a function updateEmployee() which is used to update the information of an employee. This function is vulnerable to restricted fields manipulation as it blindly trusts the incoming request and updates the employee information without checking the authenticity of the request.

The function first extracts the JSON body from the request. It then extracts the employee id, name, email, date of birth, address, and phone number from the JSON. It uses these extracted values to update the employee information in the database.

The vulnerability here is that there is no check to ensure that the request is coming from an authorized source. This means that an attacker could send a request with manipulated fields, such as a different employee id, and the function would update the information of the employee with that id, not the one who initiated the request. This could lead to unauthorized access and manipulation of sensitive employee data.

Steps

Implement authentication and authorization mechanisms to ensure that only authorized users can access the updateEmployee endpoint.
Validate the user's permissions before allowing them to update an employee's information.
Implement input validation to ensure that the request body contains all the required fields and that the field values are of the expected data types.
Use parameterized queries or prepared statements when interacting with the database to prevent SQL injection attacks.
Implement access control checks to ensure that users can only update their own employee information and not that of other employees.
Consider implementing a separate endpoint for updating employee information to provide more granular control over the fields that can be modified.
Encrypt sensitive employee information, such as email addresses and phone numbers, when storing them in the database.
Regularly update and patch the Play framework and its dependencies to ensure that any known vulnerabilities are addressed.
Perform regular security audits and penetration testing to identify and fix any potential vulnerabilities in the application.

Compliant code

        import play.api.mvc._
import play.api.libs.json._

def updateEmployee() = Action { implicit request =>
  val body: AnyContent = request.body
  val jsonBody: Option[JsValue] = body.asJson

  jsonBody.map { json =>
    val id = (json \\ "id").as[String]
    val name = (json \\ "name").as[String]
    val email = (json \\ "email").as[String]
    val dob = (json \\ "dob").as[String]
    val address = (json \\ "address").as[String]
    val phone = (json \\ "phone").as[String]
    
    // Check if the user is authenticated and authorized to update the employee information
    if (isUserAuthenticatedAndAuthorized(request, id)) {
      // Validate the input fields
      if (validateInputFields(id, name, email, dob, address, phone)) {
        // Use parameterized query to prevent SQL injection
        Employee.update(id, name, email, dob, address, phone)
        Ok("Employee updated")
      } else {
        BadRequest("Invalid input fields")
      }
    } else {
      Unauthorized("You are not authorized to update this employee information")
    }
  }.getOrElse {
    BadRequest("Expecting application/json request body")
  }
}

def isUserAuthenticatedAndAuthorized(request: Request[AnyContent], employeeId: String): Boolean = {
  // Implement your authentication and authorization logic here
}

def validateInputFields(id: String, name: String, email: String, dob: String, address: String, phone: String): Boolean = {
  // Implement your input validation logic here
}

The updated code now includes checks for user authentication and authorization. The function isUserAuthenticatedAndAuthorized(request, id) is used to check if the user making the request is authenticated and authorized to update the employee information. This function should contain your logic for checking the user's authentication status and their permissions.

The code also includes input validation. The function validateInputFields(id, name, email, dob, address, phone) is used to validate the input fields in the request body. This function should contain your logic for validating the input fields, such as checking if all the required fields are present and if the field values are of the expected data types.

The Employee.update(id, name, email, dob, address, phone) function call is now inside an if statement that checks if the user is authenticated and authorized and if the input fields are valid. This ensures that the employee information is only updated if these conditions are met.

The code also returns appropriate HTTP status codes and messages based on the result of the authentication, authorization, and input validation checks. This provides the client with more information about the result of their request.

Finally, the code still returns a BadRequest status code and message if the request body is not in the expected JSON format.

References

274. Restricted fields manipulation