node.js - is reyling on req.param(name) dangerous in regards to queryParam injection? -
node.js - is reyling on req.param(name) dangerous in regards to queryParam injection? -
say, i've got next resource:
customers/{id}
with authentication/authorization performed in middleware on req.params.id
. i.e.: check client can alter it's own resource , none other.
suppose there's set endpoint @ resource:
put customers/{id}
which internally implemented doing lookup followed update in mongo (for instance)
if lookup performed id
coming req.param("id")
have big problem seems.
why: mutual practice not check superfluous query-params, silently ignore them. if forget blacklist query-param id
? e.g.:
put customers/{evilcustomerid}?id=victimcustomerid
now evilcustomer
can freely update `victimcustomer, while still having passed authorization middleware.
of course of study argue there should more validation in place create sure doesn't happen. but, if utilize req.params.id
instead of req.param(id)
never happen.
in other words, should req.param(id)
considered unsafe in situations this?
node.js security authentication
Comments
Post a Comment