Secure development: Sanitizing user inputs

Leave a Comment / AOSP, Security & Privacy / By

Input Sanitization, as the name implies, is a crucial component of secure coding methods. It entails cleaning and validating user input data, particularly when the program uses it in crucial contexts like database queries or file manipulations. Sanitization ensures that the input is in the right format and free of dangerous data that can ultimately result in security problems.

Given the large user base and diverse sources of input that an application may face especially when we need to keep secure the back-end communication, user private data, etc. input sanitization becomes a crucial component in the field of Android development. Thus, employing input sanitization libraries is essential to ensuring that programs meet the necessary security standards.

Input Sanitization Libraries are discussed in general, along with how they are used and examples in the C, C++, Java, and Kotlin programming languages for both low-level and high-level development.

Importance of Input Sanitization

Being an integral part of any secure coding practice, input sanitization protects an application from various security issues, like:

  • SQL Injection: This is caused when unescaped user input is used to craft SQL queries, which may lead to unauthorized access to application data.
  • Cross-site scripting (XSS): It occurs when an attacker uses a web application to send malicious code, generally in the form of browser-side scripts, to an end user.
  • Command Injection: This happens when unsanitized user input is used in system commands that could lead to the execution of arbitrary commands on the host operating system.
  • Buffer Overflow: If unchecked, long user input may overflow the memory buffer, potentially allowing an attacker to execute arbitrary code.

Why use Input Sanitization Libraries?

Instead of writing custom sanitization functions for every user-input scenario, sanitization libraries are curated with a pre-built set of functions covering various input validations and encodings. They are designed to cater to a wide range of use cases at different abstraction levels.

Some advantages include:

  • Availability of secure and reliable functions to verify and sanitize user inputs
  • Faster development by avoiding the need to write custom functions
  • High assurance of security with constant updates and optimizations provided by the library
  • Compliance with common security standards

Input Sanitization Libraries for C/C++

Various libraries are available for C and C++ languages that provide input sanitization functions. Some popular ones include:

  • Libinjection: It is a small MIT-licensed C library that detects SQL Injection and Cross-site scripting using lexical analysis. This library parses/sanitizes strings to check for any SQLi or XSS payloads.
  • StringSan: Another library that focuses on removing/executing malicious code in strings, it provides robust protection against all types of buffer overflows, and other string-based attacks.
  • libtidy: a C libarary to clean input html and clean it up

Example: Using Libinjection library in C

#include <stdio.h>
#include <stdlib.h>
#include "libinjection.h"

int main(){
    char input[] = "1 UNION SELECT * FROM users -- ";
    int is_sql_injection = libinjection_sqli(input, strlen(input));

    if (is_sql_injection) {
        printf("SQLi detected\n");
    } else {
        printf("Input valid\n");
    }

    return 0;
}

Input Sanitization Libraries for Java

For Java and Android development, popular sanitization libraries include:

  • OWASP ESAPI: The OWASP “Enterprise Security API” provides a set of input validation and output encoding functions to ensure data security in Java applications.
  • Apache Commons Validator: It is a widely used library that provides a set of input validation functions for various common use-cases in Java.
  • Google Guava: Although not specifically designed for input sanitization, Guava can be used as a utility library that has essential sanitization classes, like the Escaper class to prevent HTML injection.

Example: Using OWASP ESAPI for input validation in Java

import org.owasp.esapi.ESAPI;
import org.owasp.esapi.errors.ValidationException;

public class SanitizerExample {
    public static void main(String[] args) {
        String userName = "<script>alert('XSS Attack!');</script>";

        try {
            String cleanUserName = ESAPI.validator().getValidInput("User Input", userName, "SafeString", 100, false);
            System.out.println("Valid User Name: " + cleanUserName);
        } catch (ValidationException e) {
            System.out.println("Invalid input detected: " + userName);
        }
    }
}

Input Sanitization Libraries in Kotlin (Android)

For Kotlin and Android development, some popular libraries are:

  • Android Saripaar: A simple annotation-based Android library that provides input validation, it checks for various input patterns as per annotations added to the respective input.
  • Validators Kotlin: A light-weight Kotlin library that offers predefined input validation functions for common scenarios.

Example: Using Android Saripaar for input validation in Kotlin

import com.mobsandgeeks.saripaar.annotation.*
import com.mobsandgeeks.saripaar.ValidationError

class MainActivity : AppCompatActivity(), Validator.ValidationListener {

    @NotEmpty
    @Email
    private lateinit var emailEditText: EditText

    @NotEmpty
    @Password
    private lateinit var passwordEditText: EditText

    private lateinit var submitButton:Button

    private lateinit var validator: Validator

    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)
        setContentView(R.layout.activity_main)

        emailEditText = findViewById(R.id.email)
        passwordEditText = findViewById(R.id.password)

        submitButton = findViewById(R.id.submit_button)
        submitButton.setOnClickListener { validateInputs() }

        validator = Validator(this)
        validator.setValidationListener(this)
    }

    fun validateInputs(view: View) {
        validator.validate()
    }

    override fun onValidationSucceeded() {
        Toast.makeText(this, "Input data is valid", Toast.LENGTH_SHORT).show()
    }

    override fun onValidationFailed(errors: List<ValidationError>) {
        for (error in errors) {
            val view = error.view
            val message = error.getCollatedErrorMessage(this)

            if (view is EditText) {
                view.error = message
            } else {
                Toast.makeText(this, message, Toast.LENGTH_LONG).show()
            }
        }
    }
}

Using input sanitization libraries helps keep coding safe, especially when making apps, especially when someone tries to put in harmful information.

Link to Book: Secure Android Development: Best Practices for Robust Apps

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *