Timeline for Is it ok to have validation layer before access control layer
Current License: CC BY-SA 4.0
10 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| May 6, 2018 at 7:49 | comment | added | Muhammad |
@SandyChapman the thing is, depending on what parameter I am getting the Access Control may or may not decline the request, for example: An endpoint http://example.org/api/v2/documents?type=discarded fetch the document by type but this type discarded may not be accessible depending on the user role. So in this example we would have to check if type is given in the right format and in the expected values
|
|
| May 5, 2018 at 23:12 | comment | added | Sandy Chapman | There's essentially no reason to do validation before access control and many reasons not to. Can you explain I'd you have a reason for designing g it this way? | |
| May 5, 2018 at 3:17 | comment | added | Joshua | I ended up with a model kind of like this one, but with one amusing exception. The delete command only operates on the id of the document, so trying to enumerate names is impossible. The enumerate function filters out stuff the user can't see so calling the enum function gets back an empty list. | |
| May 4, 2018 at 16:53 | comment | added | mfsiega | @KamilDrakari that's not an extreme example, that's a perfectly reasonable example. Put another way - if you do validation before access control, any time a developer wants to add a validation step, they have to make a decision on whether that validation exposes anything sensitive. The chance of every dev getting that call right seems tiny. | |
| May 4, 2018 at 14:25 | comment | added | Kamil Drakari | @Rotem It's essentially impossible to determine in advance what information an attacker could take advantage of. Just because you haven't found a way to learn something you shouldn't, doesn't mean there isn't such a way. As an extreme example, there might not be any vulnerability now, but in the future somebody might add a check to the validation layer that does leak information because they didn't know it wasn't protected. | |
| May 4, 2018 at 14:23 | history | edited | Caleth | CC BY-SA 4.0 |
added 205 characters in body
|
| May 4, 2018 at 14:20 | comment | added | Rotem | @Caleth Could you elaborate on your last comment? I don't see how that's the case given OPs comment. Seems in any case the only information being sent back is unprivileged information if the schema is publicly documented. | |
| May 4, 2018 at 13:55 | comment | added | Muhammad | @caleth actually it wouldn't let you know if a certain document is in the system or not, this type of information only be given when you reach the controller layer. Validation just check the schema, it doesn't access the database - only access control & deeper layers do the database access. Also, access control layer only shows you same stuff while a resource exist or not. The only compromising thing is the schema which I am thinking if is ok or not | |
| May 4, 2018 at 12:36 | comment | added | Kilian Foth | +1, absolutely. If your data are in any way personally identifiable or sensitive in any other way, then security implications are much, much more serious than usability implications. | |
| May 4, 2018 at 11:24 | history | answered | Caleth | CC BY-SA 4.0 |