Improper Handling of Extra Parameters (CWE-235)

Improper Handling of Extra Parameters

The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.

When applications receive duplicate parameters, they may process them inconsistently, leading to security bypasses or logic errors. Different frameworks may select the first, last, or combine duplicate parameters.

普遍性

中

覆盖 2 种语言

影响

中

建议审查

预防

已记录

2 个修复示例

2 预防

如何修复此漏洞

基于 2 条 Shoulder 检测规则的 Improper Handling of Extra Parameters 预防策略。

🟨 JavaScript 查看全部 JavaScript 详情 →

HTTP Parameter Pollution Prevention in Express.js LOW

Add hpp middleware to normalize duplicate query parameters

+3 -0 javascript

+ const hpp = require('hpp');
+ app.use(hpp());
+ 
  app.get('/search', (req, res) => {
    const role = req.query.role;
    if (role === 'admin') {
      res.json({ admin: true });
    }
  });

🐍 Python 查看全部 Python 详情 →

HTTP Parameter Pollution MEDIUM

Explicitly check for and reject duplicate HTTP parameters

+8 -7 python

- from flask import request
- 
- @app.route('/api/action')
- def action():
-     user_id = request.args.get('id')
-     # Attacker sends: ?id=1&id=admin
-     # Only gets first value, but backend proxy may use last
+ from flask import request, jsonify
+ 
+ @app.route('/api/action')
+ def action():
+     all_ids = request.args.getlist('id')
+     if len(all_ids) != 1:
+         return jsonify({'error': 'Duplicate parameters not allowed'}), 400
+     user_id = all_ids[0]
      perform_action(user_id)

3 检测

查找代码中的漏洞

使用Shoulder扫描代码中的Improper Handling of Extra Parameters模式。 2 规则.

终端

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=235

# Or scan entire project
npx @shoulderdev/cli trust .

检测规则 (2)

🟨 Javascript 1 rules

HTTP Parameter Pollution Prevention in Express.js LOW

Detects missing HTTP Parameter Pollution (HPP) protection in Express.js applications.

🔷 Typescript 1 rules

HTTP Parameter Pollution Prevention in Express.js LOW

Detects missing HTTP Parameter Pollution (HPP) protection in Express.js applications.

🐍 Python 1 rules

HTTP Parameter Pollution MEDIUM

Detects handling of duplicate HTTP parameters without proper validation.

4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Improper Handling of Extra Parameters漏洞。在代码审查和安全审计中注意查找。

🟡

handling of duplicate HTTP parameters without proper validation python-parameter-pollution

🔵

Request parameters used without HPP protection. Express converts duplicate query/body params to arrays, which can bypass javascript-express-hpp-prevention

🔵

missing HTTP Parameter Pollution (HPP) protection in Express javascript-express-hpp-prevention

🔍

扫描你的代码库: Improper Handling of Extra Parameters

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则