Take Data Validation Seriously

Paul Milham, WildWorks

WildWorks

Animal Jam

Outline

• Attacks • Data Validation => Security • Data Normalization => Stability • Joi • Tean • Express Integration • Hapi Integration • Questions

Safety

• My job is to keep kids safe. • How do we keep our application safe? • Safe from what?

Attacks

• The web is full of jerks • https://www.owasp.org/index.php/Category:Attack • Read that for a bedtime horror story

SQL Injection

console.log(name); // paulconsole.log(email); // '); DROP TABLE db.user; --mysql.query(`INSERT INTO db.user (name, email) VALUES ('${name}', '${email}')`);

Shell Injection

console.log(pass); // "; rm -rf /"require("child_process").exec(` php -r "print crypt('${pass}','\\$1\\$rounds=1\\$salt\\$');"`, (err, stdout, stderr) => {});// hopefully you're using containers

ReDOS

const msg = 'foo=bar' + ';'.repeat(65535) + 'domain=example.com';console.time("regex");console.log(msg.search(/;+$/));console.timeEnd("regex"); // regex: 5854.071ms :(

• This is a sample vulnerability in tough cookie • https://snyk.io/vuln/npm:tough-cookie:20160722 • Be careful of "evil" regex

Security

• It’s a scary world • Security is important • There’s a lot more than just those three

Validation

• Verify the shape of the data • Malicious data can’t get in • First line of defense

Simple Joi

"use strict";

const Joi = require("joi");

Joi.validate("srsly a string", Joi.string(), (err, value) => { console.log(err); // null console.log(value); // "srsly a string"});

Joi Failure

Joi.validate(5, Joi.string(), (err, value) => { console.log(err); // Error console.log(value); // 5});

Joi Schema

const schema = Joi.object().keys({ username: Joi.string().email({tldWhiteList: ["wildworks"]}).required(), password: Joi.string().min(6).max(25).required(),});

Joi.validate({ username: "paul.milham@wildworks.com", password: "justinbieber",}, schema, (err, value) => { console.log(err); console.log(value);});

All In

const schema = Joi.object().keys({ username: Joi.string().email({tldWhiteList: ["wildworks"]}).required(),});

Joi.validate({ username: "paul.milham@wildworks.com", password: "justinbieber",}, schema, (err, value) => { console.log(err); // justinbieber is not allowed});

All In

• Validating one field means validating them all • Hard for devs to forget

Data Normalization

• Normalization is being a good citizen • Normalization creates a contract with your consumer • Normalization goes a lot deeper than this (we'll get to that later)

Joi Conversion

Joi.validate("1.916", Joi.number(), (err, value) => { console.log(value.toFixed(1)); // 1.9 (No TypeError!)});

Joi Defaults

Joi.validate(undefined, Joi.number().default(0), (err, value) => { console.log(value.toFixed(1)); // 0.0 (No TypeError!)});

Tean

•Declarative syntax (schemas are POJOs) •Async •Convert data into models •Strict by default •https://www.npmjs.com/package/tean •Note that custom validators were recently added to Joi

Tean Validation

// simple validation tean.object({animal: "string"}, {animal: “kangaroo”},(isValid, result) => { console.log(isValid); // true console.log(result); // {animal: "kangaroo"} });

Tean Failure

tean.object({animal: "string"}, {animal: null}, (isValid, result) => { console.log(isValid); // false console.log(result); // ["animal (null) is not a string"] });

Tean Normalization

// optional parameters tean.object({animal: “string(kangaroo,tiger)=tiger”, sparkles: "bool=true"}, {animal: "tiger"}, (isValid, result) => { console.log(isValid); // true console.log(result); // {animal: "tiger", sparkles: true} // Note that the original object is not altered! Normalized and validated data is passed into "result" in the callback });

Model Mapping

tean.object(req.body.params, { accessory: "avatarAccessory", user: ["userUid"],}, (isValid, result) => {});

Data Normalization

• Provides a friendly API • Provides consistency and reliability • Eliminates lots of common bugs

Express

• Everyone uses it! • No built in validation! • Too many exclamation points! • https://expressjs.com/

Express + Joi

app.get('/:username', function (req, res) { const schema = Joi.object().keys({ username: Joi.string().required(), });

Joi.validate(req.params, schema, (err, value) => { console.log(err); req.params = value; res.send(`${req.params.username} is the best!`); });});

Express + Tean

app.get('/:user', function (req, res) { tean.object(req.body.params, { user: "userUid", }, (isValid, result) => { console.log(isValid); req.params = result;

res.send(`${result.user.name} is the best!`); });});

Problem

• We’re relying on the developer to remember to validate • This is a problem for maintenance and updates • Middleware to the rescue!

Route Middleware

this.app.post(options.route, tean.expressRequest(options.paramMap), (req, res) => { // do stuff options.handler(req.safeData, req, res); }, (err, req, res) => { console.log(err.stack); res.status(500).send(); } );

Express + Joi

• https://www.npmjs.com/package/celebrate

Hapi

• Hapi isn't minimalist like Express • Lots of options out of the box • http://hapijs.com/

Hapi Validation

app.route({ method: "POST", path: "/", config: { handler: (req, reply) => { reply("hey!"); }, validate: { payload: { username: Joi.string().email().required(), password: Joi.string().max(25).required(), }, }, },});

Take Away

• FORCE validation of data - an opt in system isn't good enough • Make sure shape of data is acceptable • No validation, no data • This ensures malicious data does not enter your application

Take Away

• FORCE normalization of data shape • Data should always have a consistent shape • Make data access and usage reliable • Eliminates lots of “stupid” bugs

On the Way Out

• Have you thought about data security on the way out? • Mind blown! • Prevent Data Leaks from "heartbleed" or SQL Injection • Provide same stability contract for your client app

Thanks!

• Any questions? • @domrein