node.js - is reyling on req.param(name) dangerous in regards to queryParam injection? -



node.js - is reyling on req.param(name) dangerous in regards to queryParam injection? -

say, i've got next resource:

customers/{id}

with authentication/authorization performed in middleware on req.params.id. i.e.: check client can alter it's own resource , none other.

suppose there's set endpoint @ resource:

put customers/{id}

which internally implemented doing lookup followed update in mongo (for instance)

if lookup performed id coming req.param("id") have big problem seems.

why: mutual practice not check superfluous query-params, silently ignore them. if forget blacklist query-param id? e.g.:

put customers/{evilcustomerid}?id=victimcustomerid

now evilcustomer can freely update `victimcustomer, while still having passed authorization middleware.

of course of study argue there should more validation in place create sure doesn't happen. but, if utilize req.params.id instead of req.param(id) never happen.

in other words, should req.param(id) considered unsafe in situations this?

node.js security authentication

Comments

Popular posts from this blog

java - How to set log4j.defaultInitOverride property to false in jboss server 6 -

c - GStreamer 1.0 1.4.5 RTSP Example Server sends 503 Service unavailable -

Using ajax with sonata admin list view pagination -