Request content is tainted by user input

Severity
High
Applies to
Step
Links
CWE-20 CWE-116

Why This Issue Is Important

In an Apigee proxy, populating the request content with user-controlled input without proper validation poses a significant security risk. User input is inherently untrusted and can be manipulated by attackers to introduce malicious data into your application. If this data is used without proper validation, it can lead to unexpected behavior, security vulnerabilities, and potential breaches.

The principle of validating all incoming data before processing it is a cornerstone of secure coding practices. By ensuring that user-controlled data is sanitized and validated before it is used in any application logic, you reduce the risk of attacks such as SQL injection, cross-site scripting (XSS), and other forms of data manipulation that could compromise the integrity and security of your system.

How This Issue Is Detected

CodeSent scans the flow to identify variables that are known to be influenced by user input, such as request.header, request.queryparam, etc. The tool traces the flow of these variables to see if they are used to populate the request.content flow variable. If such a variable flows into request.content, CodeSent flags this as a potential risk.

How to Fix the Issue

To fix this issue, you should validate all user-controlled data before it is used to populate the request content. This involves applying appropriate validation and sanitization logic to ensure that only valid and safe data is processed by your proxy.