# Improper Handling of Extra Parameters (CWE-235) The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount. - Prevalence: 보통 2개 언어 지원 - Impact: 보통 검토 권장 - Prevention: 문서화됨 2개의 수정 예시 **OWASP:** Injection (A03:2021-Injection) - #3 ## Description When applications receive duplicate parameters, they may process them inconsistently, leading to security bypasses or logic errors. Different frameworks may select the first, last, or combine duplicate parameters. ## Prevention 2개의 Shoulder 탐지 규칙을 기반으로 한 Improper Handling of Extra Parameters 예방 전략. ### JavaScript Add hpp middleware to normalize duplicate query parameters ### Python Explicitly check for and reject duplicate HTTP parameters ## Warning Signs - [MEDIUM] handling of duplicate HTTP parameters without proper validation - [LOW] Request parameters used without HPP protection. Express converts duplicate query/body params to arrays, which can bypass - [LOW] missing HTTP Parameter Pollution (HPP) protection in Express ## Consequences - 보호 메커니즘 우회 - 애플리케이션 데이터 수정 ## Mitigations - 중복된 매개변수 처리를 위한 정책을 정의하고 적용하세요 - 보안에 민감한 매개변수가 중복된 요청은 거부하세요 - 중복을 일관되게 처리하는 프레임워크를 사용하세요 ## Detection - Total rules: 2 - Languages: javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **HTTP Parameter Pollution Prevention in Express.js** [LOW]: Detects missing HTTP Parameter Pollution (HPP) protection in Express.js applications. - Remediation: Option 1 - Add hpp middleware (recommended): npm install hpp const hpp = require('hpp'); app.use(hpp()); Option 2 - Validate parameters manually: const value = Array.isArray(req.query.param) ? req.query.param[0] // Take first value : req.query.param; ### Typescript (1 rules) - **HTTP Parameter Pollution Prevention in Express.js** [LOW]: Detects missing HTTP Parameter Pollution (HPP) protection in Express.js applications. - Remediation: Option 1 - Add hpp middleware (recommended): npm install hpp const hpp = require('hpp'); app.use(hpp()); Option 2 - Validate parameters manually: const value = Array.isArray(req.query.param) ? req.query.param[0] // Take first value : req.query.param; ### Python (1 rules) - **HTTP Parameter Pollution** [MEDIUM]: Detects handling of duplicate HTTP parameters without proper validation. - Remediation: Check for duplicate parameters and reject requests with unexpected multiples. ```python if len(request.args.getlist('param')) > 1: return "Duplicate parameters not allowed", 400 ``` Learn more: https://shoulder.dev/learn/python/cwe-235/parameter-pollution