Ornias1993 / fetlife-aslsearch-reborn

Tampermonkey user script offering an interface to perform pseudo-automatic searches of the FetLife.com user base filtered by age, sex, location, and role.

6 stars 2 forks source link

Input validation and sanitization rework #55

Closed Ornias1993 closed 4 years ago

Ornias1993 commented 5 years ago

Description

Input validation and sanitization is a mess, at some needed spots it isn't there and in others its halfway done. This is a security issue

Category

TODO

Detailed Bug Report

For PUSHed scrape results we should:

Prevent XSS attacks
validate the format and throw everything out of wrong
Validate if an entry contains a valid user ID or throw the whole entry out
Validate columns and throw unknown ones out (+ their value!)
Sanitise: Make sure SQLi attacks cant be done and inputs are consistent

For GET requests we should:

validate the format and throw everything out of wrong
Validate columns and throw unknown ones out (+ their value!)
Validate inputs to be what they should be (for example: url being an actual fetlife url) and set to null if not
Sanitise: Make sure SQLi attacks cant be done and inputs are consistent

Ornias1993 commented 5 years ago

Checking URL's, countries and so forth will be a 0.7.0 todo. Basic verification is in place at multiple levels. At least for data types.