Tuesday, January 18, 2022

[FIXED] What vulnerability issues can occur using CakePHP's Json Data Type?

      , ,      No comments   

Issue

This page states, that:

When using complex types it is important to validate that the data you are receiving from the end user is the correct type. Failing to correctly handle complex data could result in malicious users being able to store data they would not normally be able to.

What bad could actually happen (knowing, that CakePHP performs its standard security checks in the background) when accepting JSON data from the frontend?

Which additional security should be added by a CakePHP developer when processing JSON input for single columns and relying on the above introduced support for JSON column type?


Solution

Mostly it is a concern of having the right structure and coherent data.

For example if you stored serialized data coming from the user and you expect it to be a list of integers like this one:

[1, 4, 5, 6]

So you can do array_sum($values) in any part of your application. It might be possible for someone to submit an array looking like this

[{a: 2}, {s: 15}, {}, 'hello']

In which case calling array_sum() will give you warnings.

It is important to validate the information you are receiving according to the expectations you have about it in terms of structure and data types.



Answered By - José Lorenzo Rodríguez

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...