SCP [14, 21] Cornucopia - Validate Input #137
Description
These are SCP coding practices used during Cornucopia threat modeling sessions that we could add here.
** SCP [14]** Validate all input against a "white" list of allowed characters, whenever possible
SCP [14] is referred to in VE3.
Suggestion: Validate all input against an allowlist of characters, whenever possible
Reference:
https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html#allowlist-vs-denylist
https://top10proactive.owasp.org/archive/2018/c5-validate-inputs/#allowlisting-vs-denylisting
SCP[21] Contextually sanitize all output of un-trusted data to queries for SQL, XML, and LDAP
SCP [21] is referred to in VE9.
Suggestion: Sanitize potentially dangerous characters before using the data to call another service.
Reference:
https://top10proactive.owasp.org/archive/2018/c5-validate-inputs/#validation-functionality-in-libraries-and-frameworks
Ref: 1.3.6 https://github.com/OWASP/ASVS/blob/master/5.0/en/0x10-V1-Encoding-and-Sanitization.md#v13-sanitization