Resource Injection

python.resource_injection

Severity

high

Resource

Injection

Language

Python

Description

Improper control of resource identifiers ('Resource Injection').

Rationale

Resource Injection occurs when an attacker is able to manipulate inputs that are concatenated with paths, queries, or resource identifiers in such a way that unintended resources are accessed. The main risk is unauthorized access, data leakage, and potential modification or destruction of resources.

For example, consider this Python code snippet:

from flask import Flask, request
import psycopg2

app = Flask(__name__)

@app.route('/connect')
def connect_to_database():
    # Retrieve the port number from user input
    port = request.args.get('port')

    # Potentially unsafe usage of user input for database connection
    conn = psycopg2.connect(  # FLAW
        dbname="exampledb",
        user="dbuser",
        password="dbpass",
        host="localhost",
        port=port
    )

    # Perform database operations
    return "Connected to the database"

if __name__ == '__main__':
    app.run()

In this example, the port number for the database connection is directly obtained from user input without validation. This could lead to a resource injection vulnerability where an attacker specifies a malicious port, potentially disrupting database operations or connecting to an unintended service.

Remediation

The most common way to prevent resource injection vulnerabilities is to sanitize user input before using it in resource construction: Ensure that resource identifiers are strictly validated against a whitelist of known safe values. This prevents arbitrary input from being interpreted as a valid identifier.

If whitelisting is not possible, use a strict blacklist to limit the range of allowed identifiers.

Additional precautions include:

Privilege Segregation: Run resource access code under the least privilege principle. Design the application to minimize the access scope for sensitive resources.
Logging and Alerting: Implement comprehensive logging and alerting to monitor resource access, making clear which resources are accessed. This helps in early detection of suspicious activities or misuse.
Static Code Analysis: Utilize SAST tools with detectors that specifically check for untrusted input in resource construction. Regular scans will help identify new vulnerabilities introduced in your code base.

Configuration

The detector has the following configurable parameters:

sources, that indicates the source kinds to check.
neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

CWE-99 : Improper Control of Resource Identifiers ('Resource Injection').
OWASP Top 10 2021 - A03 : Injection.
CAPEC-240: Resource Injection
Resource Injection Attack, in OWASP Attacks Project.