An system user select a product they want to get more about the product
Your company is building an application for a client. It is required to write function to search for product by a given ID into products table of the database. After a quick review, your boss has identified a vulnerability in the code that creates a risk for your company, and has asked you to remediate the error.
Please take the next step and identify the vulnerability.
After some hours of hard work the developer came up with the code as follow.
Could you please tell me what is the line number and the vulnerability category of the code snippets below?
1import re
2
3def get_product(product_id):
4 db_connection = get_db_connection()
5 num_format = re.compile(r'^\d+$', re.M)
6 if re.match(num_format, product_id):
7 query = f"SELECT * FROM products WHERE id = {product_id}"
8 product = db_connection.execute(query).fetchone()
9 db_connection.close()
10 if product is None:
11 response(Http404)
12 return product
13 else:
14 response(Http404)[yt-video]: https://youtu.be/NylZZ1fmfUw
Use the DEVELOPER SURVEY link bellow to answer the challenge. (Please notice that will be redirected to jotform.com)
The function receives input, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
1import re
2
3def get_product(product_id):
4 db_connection = get_db_connection()
5 num_format = re.compile(r'^\d+$', re.M)
6 if re.match(num_format, product_id):
7 query = f"SELECT * FROM products WHERE id = {product_id}"
8 product = db_connection.execute(query).fetchone()
9 db_connection.close()
10 if product is None:
11 response(404)
12 return product
13 else:
14 response(404)
The issue is in the way that the parameter product_id
is being validated by the system. The developer is using a regular expression to get only the numbers of the parameter but is using the match
method of the Python regular expression built-in library with the flag re.M
that a malicious actor could easyly bypass.
Some take aways