Insecure functionality - User management - Scala

Insecure functionality - User management - Scala

Need

Secure user management and access control

Context

  • Usage of Scala for building scalable and high-performance applications
  • Usage of play.api.mvc for handling HTTP requests and responses in Play Framework
  • Usage of play.api.libs.json for JSON parsing and manipulation in Play Framework
  • Usage of global execution context for Scala concurrent programming

Description

Non compliant code

        import play.api.mvc._
import play.api.libs.json._
import scala.concurrent.ExecutionContext.Implicits.global

class UserController @Inject()(cc: ControllerComponents) extends AbstractController(cc) {
  def assignManager(email: String) = Action.async { implicit request =>
    val user = User.find(email)
    user match {
      case Some(u) => {
        val manager = Manager.create(u)
        EmailService.sendEmail(email, "You have been assigned as a manager.")
        Ok(Json.toJson(manager))
      }
      case None => {
        val manager = Manager.create(User(email = email))
        EmailService.sendEmail(email, "You have been assigned as a manager.")
        Ok(Json.toJson(manager))
      }
    }
  }
}
        
        

The above Scala code is vulnerable to insecure user management functionality. The assignManager function in the UserController class is assigning a user as a manager based on their email address without checking if the email is registered or not.

The function first tries to find a user with the provided email. If the user exists, it assigns them as a manager and sends an email notification. However, if the user doesn't exist, the function still creates a manager with the provided email and sends an email notification.

This means that an email can be assigned as a manager even if it's not registered in the system or if the user associated with the email has been removed from all projects. Furthermore, the function doesn't restrict access to vulnerability information and policies based on the user's status in the system, which could lead to unauthorized access to sensitive information.

Steps

  • Implement user authentication and authorization to ensure that only authenticated and authorized users can assign managers.
  • Validate the email address before assigning it as a manager to prevent assigning non-existent or invalid email addresses.
  • Check if the email address is already registered as a user before assigning it as a manager.
  • Remove the ability to assign managers to non-users.
  • Remove the ability to send emails to non-registered email addresses.
  • Ensure that the information of vulnerabilities and policies is only accessible to registered users who have the necessary permissions.
  • Implement proper user management functionality to handle user removal from projects and organizations.

Compliant code

        import play.api.mvc._
import play.api.libs.json._
import scala.concurrent.ExecutionContext.Implicits.global

class UserController @Inject()(cc: ControllerComponents, authService: AuthService) extends AbstractController(cc) {
  def assignManager(email: String) = Action.async { implicit request =>
    authService.authenticateRequest(request) match {
      case Some(user) => {
        if (user.email == email) {
          val manager = Manager.create(user)
          EmailService.sendEmail(email, "You have been assigned as a manager.")
          Ok(Json.toJson(manager))
        } else {
          BadRequest(Json.toJson("Error: Only registered users can be assigned as managers."))
        }
      }
      case None => Unauthorized(Json.toJson("Error: Unauthorized request."))
    }
  }
}
        
        

The updated code now includes an AuthService which is used to authenticate the request. This ensures that only authenticated users can assign managers.

The assignManager function now checks if the authenticated user's email matches the provided email. If it does, the user is assigned as a manager and an email is sent to them. If the emails do not match, a BadRequest response is returned with an error message stating that only registered users can be assigned as managers.

If the request is not authenticated, an Unauthorized response is returned.

This code fixes the vulnerability by ensuring that only authenticated and authorized users can assign managers, and only registered users can be assigned as managers. It also prevents sending emails to non-registered email addresses and ensures that the information of vulnerabilities and policies is only accessible to registered users who have the necessary permissions.

References