iangreenleaf

iangreenleaf

Handling invalid UTF-8 strings from URL path params

Here’s the problem I’m working on: bots probing my site for vulnerabilities will try injecting special character sequences into params, like /articles/abc%DE~%C7%1FY, which becomes the binary <<97, 98, 99, 222, 126, 199, 31, 89>>, which is not a valid string.

No doubt this attack targets Oracle Server 2003 or something, I don’t know. It’s not going to cause any harm to my app, but it does end up triggering a Postgrex error because the invalid binary makes it all the way into the SELECT query before being rejected as invalid UTF-8.

I’d like to catch this earlier and return an appropriate 4xx error for invalid input rather than a 500 error when the DB query fails. Plug.Parsers has an option to validate UTF-8 in body and query params, so that a request like /articles/abc?a=b%DE~%C7%1FY will throw a relevant exception, but it seems like the path params aren’t checked in the same way.

I’m not sure how to attack this problem. I don’t want to add a check individually to every controller, since this is an application-wide need. Should the path params be run through the same parser checks as other params, or is there a reason they aren’t?

Most Liked

malaire

malaire

These new “Living Standards” seem to be quite new. But W3C does say that for HTML the WHATWG standard is current standard:

HTML Standard is the current HTML standard. It obsoletes all other previously-published HTML specifications.

And that WHATWG HTML Standard refers to this URL Standard.

In Goals section the URL standard also says that one of the goals is to obsolete RFC 3986 and RFC 3987.

NobbZ

NobbZ

You could add a plug which checks the :request_path. Something like this:

plug fn (conn, _opts) ->
  if String.valid?(conn.request_path) do
    conn
  else
    conn
    |> Plug.Conn.put_status(:im_a_teapot)
    |> Plug.Conn.halt()
  end
end

This is a quick draft based on the docs. You might want to adjust some parts of it, add some content, make it a module based plug or change the status code sent :smiley:

Also this code assumes, that the :request_path is already decoded at this point. If it is not you can use URI.decode/1 to do so.

malaire

malaire

Current URL standard seems to be based on valid UTF-8 encoding.

Where Next?

Popular in Questions Top

marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
vertexbuffer
Hello, can anybody help here..? I have a list of players and I what to delete an element, but every for loop the list is reverting to ori...
New
Harrisonl
We have an ECS cluster with 4 services, where each task joins a single cluster, via discovery ECS discovery service. Currently when I de...
New
dokuzbir
I want to highlight html closing tags when i click a html tag. That works in .html files but doesnt work for html.eex templates. How can...
New
joeerl
Hello again - after a longish gap I’ve decided I really must dig into Elixir and see what’s been happening here - so I have a few questio...
New
minhajuddin
I have seen a lot of code which picks the first element from a list using Enum.at(0) instead of List.first. Is there a reason why people ...
New
itssasanka
Hi all, Trying to get some more clarity over utc_datetime and naive_datetime for Ecto: https://hexdocs.pm/ecto/Ecto.Schema.html#module-...
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
nobody
Hi! In PHP: $SERVER['SERVERADDR'] - in Elixir? Searched the docs for ip address and the web, no good results. Thanks!
New
dblack
I’ve got an issue with an app and I’ve no idea of how to troubleshoot it. I’m hoping someone here might have seen something similar. I p...
New

Other popular topics Top

lastday4you
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
skosch
To my knowledge, put_in, Map.update etc. all have the one limitation of not automatically creating intermediate keys when needed (for exa...
New
JeremM34
Hello, how can I check the Phoenix version ? Thanks !
New
New
joeerl
Hello again - after a longish gap I’ve decided I really must dig into Elixir and see what’s been happening here - so I have a few questio...
New
freewebwithme
Using vs code and installed ElixirLS: support and debugger. And I got an error popped up on start up says Failed to run ‘elixir’ comma...
New
RisingFromAshes
I've read in another post that it may be possible with a router helper - but I couldn't find an appropriate one, and tbh, I'm still just ...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
hariharasudhan94
I would like to know what is the best IDE for elixir development?
New

We're in Beta

About us Mission Statement