# Improper Input Validation (CWE-20) The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. **Stack:** Go - Prevalence: Élevée Fréquemment exploitée - Impact: Élevé 6 règles de sévérité élevée - Prevention: Documentée 13 exemples de correctifs **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs are safe for processing within the code, or when communicating with other components. When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. ## Prevention Stratégies de prévention pour Improper Input Validation basées sur 4 règles de détection Shoulder. ### Go Parse string inputs to typed values and validate against business rules before use Use Echo struct binding with validation tags instead of untyped maps Use Fiber BodyParser with typed structs and validation tags ## Warning Signs - [MEDIUM] Business-critical value used without proper validation - [MEDIUM] Gin application missing input validation middleware ## Consequences - Exécuter du code non autorisé - Modification des données de l'application - DoS - Lecture des données de l'application ## Mitigations - Supposez que toute entrée est malveillante. Utilisez une stratégie de validation acceptant uniquement les entrées connues comme valides - Lors de la validation des entrées, prenez en compte toutes les propriétés potentiellement pertinentes - Ne vous fiez pas exclusivement à la recherche d'entrées malveillantes ou malformées ## Detection - Total rules: 13 - Languages: python, go, javascript, typescript ## Rules by Language ### Go (4 rules) - **Business Logic Input Validation** [MEDIUM]: Business-critical values (discount, quantity, refund) used without validation. - Remediation: Parse and validate business-critical values before use. ```go discount, err := strconv.ParseFloat(r.FormValue("discount"), 64) if err != nil || discount < 0 || discount > 100 { http.Error(w, "Invalid discount", 400) return } ``` Learn more: https://shoulder.dev/learn/go/cwe-20/input-validation - **Echo Missing Input Validation** [MEDIUM]: Echo endpoints accepting user input without struct validation. - Remediation: Use struct binding with validation tags. ```go type Input struct { Name string `json:"name" validate:"required"` } func handler(c echo.Context) error { var input Input if err := c.Bind(&input); err != nil { return c.JSON(400, map[string]string{"error": err.Error()}) } if err := c.Validate(&input); err != nil { return c.JSON(400, map[string]string{"error": err.Error()}) } return nil } ``` Learn more: https://shoulder.dev/learn/go/cwe-20/input-validation - **Fiber Missing Input Validation** [MEDIUM]: Fiber endpoints accepting user input without struct validation. - Remediation: Use BodyParser with struct validation tags. ```go type Input struct { Name string `json:"name" validate:"required"` } func handler(c *fiber.Ctx) error { var input Input if err := c.BodyParser(&input); err != nil { return c.Status(400).JSON(fiber.Map{"error": err.Error()}) } if err := validate.Struct(&input); err != nil { return c.Status(400).JSON(fiber.Map{"error": err.Error()}) } return nil } ``` Learn more: https://shoulder.dev/learn/go/cwe-20/input-validation - **Gin Missing Input Validation** [MEDIUM]: Gin endpoints accepting user input without struct binding validation. - Remediation: Use ShouldBindJSON with struct binding tags for validation. ```go type Input struct { Name string `json:"name" binding:"required,min=2"` Email string `json:"email" binding:"required,email"` } func handler(c *gin.Context) { var input Input if err := c.ShouldBindJSON(&input); err != nil { c.JSON(400, gin.H{"error": err.Error()}) return } } ``` Learn more: https://shoulder.dev/learn/go/cwe-20/input-validation