Restricted fields manipulation - TypeScript

Restricted fields manipulation - TypeScript

Need

Prevention of unauthorized access and manipulation of restricted fields

Context

  • Usage of TypeScript for statically typed JavaScript development
  • Usage of Express for building web applications and APIs

Description

Non compliant code

        import express from 'express';

const app = express();
const employees = [
  { id: 1, name: 'John Doe', email: 'john@example.com', dni: '123456789' },
  { id: 2, name: 'Jane Smith', email: 'jane@example.com', dni: '987654321' },
];

app.put('/employees/:id', (req, res) => {
  const { id } = req.params;
  const { dni } = req.body;

  const employee = employees.find((emp) => emp.id === parseInt(id));

  if (!employee) {
    return res.status(404).json({ message: 'Employee not found' });
  }

  employee.dni = dni;

  return res.json({ message: 'Employee information updated successfully' });
});

app.listen(3000, () => {
  console.log('Server running on port 3000');
});
        
        

The vulnerability in this code is that it allows an attacker to manipulate the restricted field (DNI) of other employees from different companies. The vulnerability arises from the fact that the code does not verify if the user making the request has the necessary permissions to modify the employee information.

In the code, there is an endpoint defined as PUT /employees/:id which is used to update the DNI of an employee. The id parameter is used to identify the employee to be updated. The dni field is taken from the request body and used to update the employee's DNI.

However, there is no check to ensure that the user making the request has the necessary permissions to modify the employee information. This means that any user, even without proper authorization, can send a request to this endpoint and modify the DNI of any employee in the employees array.

This vulnerability allows an attacker to impersonate other employees by changing their DNI, and as a result, they can modify or replace the personal information of targeted employees, such as names, email addresses, dates of birth, addresses, and telephone numbers.

To mitigate this vulnerability, the code should include a check to verify that the user making the request has the necessary permissions to modify the employee information. This could be done by implementing an authentication and authorization mechanism to ensure that only authorized users can access and modify the employee data.

Steps

  • Implement authentication and authorization mechanisms to ensure that only authorized users can modify employee information.
  • Validate the user's permissions before allowing them to update employee information.
  • Add input validation to ensure that the provided DNI is in the correct format and meets any other necessary criteria.
  • Consider implementing rate limiting or other security measures to prevent abuse and protect against brute force attacks.
  • Store sensitive employee information securely, such as encrypting the DNI before storing it in the database.
  • Regularly review and update the code to address any new security vulnerabilities or best practices.

Compliant code

        import express from 'express';

const app = express();
const employees = [
  { id: 1, name: 'John Doe', email: 'john@example.com', dni: '123456789' },
  { id: 2, name: 'Jane Smith', email: 'jane@example.com', dni: '987654321' },
];

app.put('/employees/:id', (req, res) => {
  const { id } = req.params;
  const { dni } = req.body;

  const employee = employees.find((emp) => emp.id === parseInt(id));

  if (!employee) {
    return res.status(404).json({ message: 'Employee not found' });
  }

  // Check if the user has the necessary permissions to update employee information
  // Implement your authentication and authorization logic here
  if (!userHasPermission(req.user)) {
    return res.status(403).json({ message: 'Unauthorized' });
  }

  // Validate the provided DNI
  if (!isValidDNI(dni)) {
    return res.status(400).json({ message: 'Invalid DNI' });
  }

  // Update the employee's DNI
  employee.dni = dni;

  return res.json({ message: 'Employee information updated successfully' });
});

app.listen(3000, () => {
  console.log('Server running on port 3000');
});

// Helper functions

function userHasPermission(user: any): boolean {
  // Implement your authorization logic here
  // Return true if the user has the necessary permissions, otherwise false
  // You can use user roles, permissions, or any other mechanism to determine authorization
  return true;
}

function isValidDNI(dni: string): boolean {
  // Implement your DNI validation logic here
  // Return true if the DNI is valid, otherwise false
  // You can use regular expressions or any other validation mechanism
  return true;
}
        
        

The fixed code addresses the vulnerability by implementing several measures to ensure the safety of the application.

1. The code defines an array of employee objects with their respective properties such as id, name, email, and dni.

2. The code sets up an Express server and defines a PUT route for updating employee information. The route expects the employee id as a parameter and the new dni value in the request body.

3. The code first checks if the employee with the given id exists in the employees array. If not, it returns a 404 error response indicating that the employee was not found.

4. Next, the code checks if the user making the request has the necessary permissions to update employee information. This is done by calling the userHasPermission function, which should contain the authentication and authorization logic. If the user does not have the necessary permissions, a 403 error response is returned.

5. The code then validates the provided dni value by calling the isValidDNI function. This function should contain the validation logic for the dni. If the dni is invalid, a 400 error response is returned.

6. Finally, if all the checks pass, the code updates the dni value of the employee object and returns a success message in the response.

7. The code also includes helper functions userHasPermission and isValidDNI which are placeholders for the actual implementation. These functions should be implemented with the appropriate logic for authentication, authorization, and dni validation.

Overall, the fixed code ensures that only authorized users can update employee information and validates the provided dni value to prevent any unauthorized changes to employee data.

References