Pushing Left, Like a Boss — Part 5.10 — Untrusted Data
Trust data from…. No one. Not the database, not APIs, not even your mom.
Sydney, Australia, 2019. I’m the tiny dot.
Any data sent to your application needs to be treated as untrusted, and thus validated before it is used or saved. When I say this, I mean ALL DATA. Whoever saved the data to that database may have made an error while validating that input. The API you are calling may have been compromised. Even a highly intelligent user, such as my mother (degrees in both chemistry and mathematics, an accounting designation, and several certifications, including adult education – She’s very bright.), could make a simple error when using an application, such as entering a single quote instead of a double quote, which could potentially send your application into an error state, causing a crash or worse. I realize that generally we assume that we are guarding against only malicious actors, but this is not true: even well-meaning, well-educated and computer-literate users can cause problems if your application is too trusting of the data it receives. If you treat all data as potentially malicious you will ensure that your application is not only battle-ready, but also error-proof.
Validate data from all sources, including:
- Parameters in the URL
- The database
- APIs (internal and external)
- Other Applications
- Anything from the user. Especially the user.
References: Check out the OWASP Cheat Sheet for Input Validation!
Up next in the ‘Pushing Left, Like a Boss’ series: Authorization (AuthZ).