Get product details for a given product ID.

An system user select a product they want to get more about the product

Your company is building an application for a client. It is required to write function to search for product by a given ID into products table of the database. After a quick review, your boss has identified a vulnerability in the code that creates a risk for your company, and has asked you to remediate the error.

Please take the next step and identify the vulnerability.

After some hours of hard work the developer came up with the code as follow.

Could you please tell me what is the line number and the vulnerability category of the code snippets below?

 1import re
 2
 3def get_product(product_id):
 4	db_connection = get_db_connection()
 5	num_format = re.compile(r'^\d+$', re.M)
 6	if re.match(num_format, product_id):
 7        query = f"SELECT * FROM products WHERE id = {product_id}"
 8		product = db_connection.execute(query).fetchone()
 9		db_connection.close()
10		if product is None:
11			response(Http404)
12			return product
13	else:
14		response(Http404)[yt-video]: https://youtu.be/NylZZ1fmfUw

Use the DEVELOPER SURVEY link bellow to answer the challenge. (Please notice that will be redirected to jotform.com)

The function receives input, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

 1import re
 2
 3def get_product(product_id):
 4	db_connection = get_db_connection()
 5	num_format = re.compile(r'^\d+$', re.M)
 6	if re.match(num_format, product_id):
 7        query = f"SELECT * FROM products WHERE id = {product_id}"
 8		product = db_connection.execute(query).fetchone()
 9		db_connection.close()
10		if product is None:
11			response(404)
12			return product
13	else:
14		response(404)

The issue is in the way that the parameter product_id is being validated by the system. The developer is using a regular expression to get only the numbers of the parameter but is using the match method of the Python regular expression built-in library with the flag re.M that a malicious actor could easyly bypass.

Some take aways

POTENCIAL MITIGATIONS:

• ASSUME ALL INPUTS ARE MALICIOUS
• Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
• Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
• Process SQL queries using prepared statements, parameterized queries, or stored procedures

GO DEEP:

• CWE-89
• OWASP A03:2021 – Injections