Lack of data validation - Trust boundary violation - TypeScript

Lack of data validation - Trust boundary violation - TypeScript

Need

Enforcement of strict data validation and separation of trusted and untrusted data

Context

  • Usage of Node.js v14.0.0 for server-side JavaScript development
  • Usage of Express for building web applications and APIs

Description

Non compliant code

        import express from 'express';

const app = express();

app.post('/api/data', (req, res) => {
  const { trustedData, untrustedData } = req.body;

  const data = {
    trustedData,
    untrustedData
  };

  // Process the data...

  res.sendStatus(200);
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The vulnerability in this code is a lack of data validation, specifically a trust boundary violation. The code receives data from the client's request body, which includes both trustedData and untrustedData. The problem lies in the fact that both trusted and untrusted data are mixed together in the same data structure, without any validation or differentiation.

This can lead to potential security issues because untrusted data can contain malicious content or unexpected input. By mixing trusted and untrusted data in the same structure, the code may inadvertently introduce untrusted data into critical data structures or structured messages, which can result in various types of injections.

In this case, the recommendation to prevent this vulnerability is to avoid using untrusted data in critical data structures or structured messages. This means that the code should validate and sanitize the untrusted data separately before incorporating it into any critical data structures or messages.

Steps

  • Separate trusted and untrusted data into different data structures or structured messages.
  • Perform data validation and sanitization on the untrusted data before using it.
  • Consider using a validation library or framework to simplify the data validation process.
  • Implement input validation and filtering techniques to prevent common types of injections, such as SQL injection or XSS.
  • Educate developers on the importance of data validation and the potential risks of mixing trusted and untrusted data.

Compliant code

        import express from 'express';
import { validate } from 'some-validation-library'; // replace with the actual validation library

const app = express();

app.post('/api/data', (req, res) => {
  const { trustedData, untrustedData } = req.body;

  const validatedUntrustedData = validate(untrustedData); // perform data validation

  const data = {
    trustedData,
    untrustedData: validatedUntrustedData
  };

  // Process the data...

  res.sendStatus(200);
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

In the fixed code, we have made changes to address the vulnerability of lack of data validation and trust boundary violation. Here's an explanation of the changes made:

1. We import the necessary modules, including the express framework and a validation library (replace some-validation-library with the actual library you are using for data validation).

2. We create an instance of the express application.

3. We define a route for handling POST requests to '/api/data'. This route expects the request body to contain two properties: trustedData and untrustedData.

4. Inside the route handler, we perform data validation on the untrustedData using the validate function from the validation library. This step ensures that only valid data is used.

5. We create a new object called data that contains both the trustedData and the validated untrustedData.

6. We can now process the data object as needed. This step ensures that the untrusted data is separated from the trusted data and can be handled appropriately.

7. Finally, we send a response with a status code of 200 to indicate a successful request.

8. The server listens on port 3000, and a message is logged to the console to indicate that the server is running.

By performing data validation on the untrusted data and separating it from the trusted data, we ensure that only validated data is used in critical data structures or structured messages, addressing the vulnerability.

References