realworld-axum-sqlx icon indicating copy to clipboard operation
realworld-axum-sqlx copied to clipboard

Published 20 hours ago verified publisher icon launchbadge

Missing input validations

Open abonander opened this issue 3 years ago • 1 comments

As pointed out by /u/LucasMathWalker on Reddit: https://www.reddit.com/r/rust/comments/shetb1/show_rrust_a_rust_implementation_of_the_realworld/hv42wuo/

Text inputs in various routes are not properly validated. That's an oversight on my part. Were I designing these routes from scratch I would have considered it, but the Realworld spec is silent on input validation so I wasn't thinking about it.

Where variables are given, pick reasonable values for the context but don't assume they are the same values between routes:

  • In users::create_user(): https://github.com/launchbadge/realworld-axum-sqlx/blob/main/src/http/users.rs#L60
    • username should be between X and Y characters long
    • password should be between X and Y characters long (allow long passwords but not super long)
    • email should be non-empty and "look like an email" and at most X characters long
      • I'm not thinking a validation with regex is necessary here but it should at least contain @
      • Email validation is hard to get right, and usually not worth the effort: https://stackoverflow.com/questions/201323/how-can-i-validate-an-email-address-using-a-regular-expression
      • Note that normally the application would submit a confirmation email instead; find a recent article advising on how to confirm emails.
  • In users::update_user():
    • Apply the same validations as above.
    • Limit bio to X characters in length.
  • In articles::create_article(): https://github.com/launchbadge/realworld-axum-sqlx/blob/main/src/http/articles/mod.rs#L137
    • title should be between X and Y characters long
    • description should be between X and Y characters long
    • Require that body is not empty and at most X characters in length (Reddit uses 5000 for a comment, seems reasonable.)
    • Limit tag_list to N elements; limit each tag to X characters in length
  • In articles::update_article(): https://github.com/launchbadge/realworld-axum-sqlx/blob/main/src/http/articles/mod.rs#L204
    • Apply the same validations as above.
  • In articles::comments::add_comment(): https://github.com/launchbadge/realworld-axum-sqlx/blob/main/src/http/articles/comments.rs#L121
    • Require that body is not empty and limit it to X characters in length.

abonander avatar Feb 01 '22 22:02 abonander

It would be interesting to use https://github.com/Keats/validator, it's almost exactly what I was thinking when I mentioned an input validator framework in the Reddit thread.

The only thing it's missing, IMO, is enforcement of validation via typestate, so you can't forget to apply validation before you access the struct fields. I've made the suggestion there: https://github.com/Keats/validator/issues/185

abonander avatar Feb 01 '22 23:02 abonander