vincent15000's avatar

Security problem with this code ?

Hello,

Could it be a security problem with this code ?

        <x-ui.submit-button x-data="{ submitted: false }" x-on:click="submitted = true; $el.closest('form').submit()" x-bind:disabled="submitted">
            <div x-show="submitted" class="animate-spin">
                <x-icons.spinner></x-icons.spinner>
            </div>
            
            <div x-show="!submitted">
                Enregistrer
            </div>
        </x-ui.submit-button>

Is there any security problem with this code ? Is there any more elegant way to do that ?

Thanks for your help.

V

0 likes
5 replies
Snapey's avatar

Since all client side code is untrusted, how can this code introduce ADDITIONAL sevurity concerns?

It can't.

2 likes
vincent15000's avatar

I imaged a scenario in which an attacker could use the submit action diverted to another form ?

JussiMannisto's avatar
JussiMannisto
1 month ago
Best Answer
Level 50

What kind of attack are you talking about?

Users can do anything with their own front end, so they can of course submit the form anywhere. That's why you validate and authorize everything server-side.

On the front end, what you need to worry about is code injection that could affect other users (XSS).

2 likes
jlrdw's avatar

Also who is the code for, anyone or an auth user only.

But any submitted code needs some validation and sanitizing.

Not your code here but just an example of checking things on the server side:

Let's say a user with userid of 127 wants to download their pdf file. If any user besides 127 attempts that it doesn't work. Even if they change the URL.

I have the last part of the pdf as their id. For example myfile_127.pdf. In the download routine this has to match.

        // Ownership check
        $str = Cln::findId($image, "_", ".");
        if (Auth::id() != $str) {
            abort(403, 'Unauthorized access.');
        }

In a called function I make sure that between the last underscore and the .pdf is the current users id.

Yes there are others ways, but this works.

The point is don't trust front end input, validate and check things on server side. But just an example.

I normally store like this: myfile_1774039695_127.pdf

The function I call:

    public static function findId($string, $start = "", $end = "") {
        if (strrpos($string, $start) != 0) {
            $p1 = strrpos($string, $start) + 1;
            $p2 = strrpos($string, $end);
            $leng = $p2 - $p1;
            $rvalue = substr($string, $p1, $leng);
            return $rvalue;
        }
        return 'Not correct format';
    }

But just example with dealing with things on server side.

Don't forget the 2 rules any programmer should know:

  • Never trust user input
  • Backup often
1 like

Please or to participate in this conversation.