Lack of data validation - Dates - TypeScript

Lack of data validation - Dates - TypeScript

Need

Implementation of robust data validation for date fields

Context

  • Usage of TypeScript for statically typed JavaScript development
  • Usage of Express for building web applications and APIs

Description

Non compliant code

        import express from 'express';

const app = express();
app.use(express.json());

app.post('/updateProduct', (req, res) => {
  const { productNumber, movementDate } = req.body;

  // Vulnerable code: Lack of data validation for movementDate
  // The server does not validate if the user has permission to modify the movementDate field

  // Process the request and update the product information
  // ...

  res.status(200).json({ message: 'Product updated successfully' });
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The vulnerability in this code is the lack of data validation for the movementDate field in the /updateProduct route.

In this code, the server receives a POST request to update a product. The request body contains the productNumber and movementDate fields. However, the server does not perform any validation on the movementDate field to ensure that the user has permission to modify it.

This means that a malicious user can send a request with any movementDate value, bypassing any restrictions set on the front end. The server will process the request and update the product information without verifying the validity of the movementDate value.

This vulnerability can have an impact on the system's integrity and availability. For example, if a user sets an invalid or future date as the movementDate, it could generate incorrect or inconsistent product history. This can lead to availability problems, such as incorrect stock levels or incorrect tracking of product movements.

To mitigate this vulnerability, it is recommended to implement server-side data validation. The server should validate the movementDate field to ensure that it meets the required criteria and that the user has permission to modify it before processing the request.

Steps

  • Validate the 'movementDate' field on the server side before processing the request
  • Check if the user has permission to modify the 'movementDate' field
  • If the user does not have permission, return an error response
  • If the user has permission, proceed with processing the request and updating the product information

Compliant code

        import express from 'express';

const app = express();
app.use(express.json());

app.post('/updateProduct', (req, res) => {
  const { productNumber, movementDate } = req.body;

  // Validate the 'movementDate' field on the server side before processing the request
  if (!isValidDate(movementDate)) {
    return res.status(400).json({ message: 'Invalid movement date' });
  }

  // Check if the user has permission to modify the 'movementDate' field
  if (!hasPermissionToModifyDate(req.user)) {
    return res.status(403).json({ message: 'You do not have permission to modify the movement date' });
  }

  // Process the request and update the product information
  // ...

  res.status(200).json({ message: 'Product updated successfully' });
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});

function isValidDate(date: string): boolean {
  // Implement date validation logic here
  // Return true if the date is valid, false otherwise
}

function hasPermissionToModifyDate(user: User): boolean {
  // Implement permission check logic here
  // Return true if the user has permission, false otherwise
}
        
        

The fixed code is written in TypeScript and uses the Express framework to handle HTTP requests.

The code starts by importing the necessary modules and setting up the Express application. It also includes middleware to parse incoming JSON data.

The app.post('/updateProduct') route is responsible for handling the POST requests to update a product. It expects the request body to contain the productNumber and movementDate fields.

To address the vulnerability, the code performs server-side validation on the movementDate field before processing the request. It calls the isValidDate function to validate the date. If the date is invalid, it returns a 400 Bad Request response with an error message.

The code also checks if the user has permission to modify the movementDate field by calling the hasPermissionToModifyDate function. If the user does not have permission, it returns a 403 Forbidden response with an error message.

If the date is valid and the user has permission, the code proceeds to process the request and update the product information. The specific logic for updating the product is not shown in the code.

Finally, the code sends a 200 OK response with a success message if the request is successfully processed.

The code also includes the isValidDate and hasPermissionToModifyDate functions, which are placeholders for the actual implementation of date validation and permission check logic. These functions should be implemented according to the specific requirements of the application.

References