Create Secure Coding - Unsafe Consumption of APIs.md

This commit is contained in:
Mehdi 2023-12-16 11:09:17 +03:30 committed by GitHub
parent 9733252e19
commit fcb9a30360
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -0,0 +1,189 @@
# Unsafe Consumption of APIs (API10:2023)
Due to the above vulnerability, the attacker is able to send or receive information from the sources of the supply chain or implement her desired requests in a specific group.
* Example
GET request to receive weather information from a third-party service:
```html
GET /api/weather?location=New+York
```
### Non-compliant code (.NET)
```c#
[ApiController]
[Route("api/weather")]
public class WeatherController : ControllerBase
{
private readonly IWeatherService weatherService;
public WeatherController(IWeatherService weatherService)
{
this.weatherService = weatherService;
}
// GET /api/weather
[HttpGet]
public IActionResult GetWeather(string location)
{
// Make a direct call to the third-party weather API
WeatherData weatherData =
weatherService.GetWeatherData(location);
return Ok(weatherData);
}
// Other methods...
}
```
### Compliant code (.NET)
```c#
[ApiController]
[Route("api/weather")]
public class WeatherController : ControllerBase
{
private readonly IWeatherService weatherService;
public WeatherController(IWeatherService weatherService)
{
this.weatherService = weatherService;
}
// GET /api/weather
[HttpGet]
public IActionResult GetWeather(string location)
{
// Validate the location parameter and restrict access to trusted sources
if (!IsValidLocation(location))
{
return BadRequest();
}
// Make a call to the third-party weather API through the weather service
WeatherData weatherData = weatherService.GetWeatherData(location);
if (weatherData == null)
{
return NotFound();
}
return Ok(weatherData);
}
private bool IsValidLocation(string location)
{
// Implement validation logic to ensure the location is safe and trusted
// This could involve white-listing trusted sources or validating against a known set of safe locations
// Return true if the location is valid, false otherwise
// Example: return Regex.IsMatch(location, "^[a-zA-Z]+(,[a-zA-Z]+)*$");
// Implement your validation logic here
// For simplicity, assuming any location is valid
return true;
}
// Other methods...
}
```
## General prevention suggestions:
* Trust data received from external APIs with caution and rigorous validation.
* Check and verify the security and standards of the third-party service before connecting to it.
* Using encryption to communicate with external services and prevent sending sensitive information normally.
* Limiting access and levels allowed to third-party services and setting appropriate limits.
* Implementing protection mechanisms such as prototyping and generalization to ensure the security and reliability of data received from external services.
* Continuous monitoring and monitoring to detect and fix any defects in the security of external services.
* Training developers about security principles and correct use of external APIs.