Trust Boundary Violation

ID

python.trust_boundary_violation

Severity

high

Resource

Information Leak

Language

Python

Tags

CWE:501, NIST.SP.800-53, OWASP:2021:A4, PCI-DSS:6.5.1

Description

Trust boundary violation occurs when the application improperly validates or trusts data crossing from an untrusted to a trusted domain.

This may involve inadequate checks on data from sources like user inputs or external systems, allowing malformed or malicious data to affect the application.

Rationale

Data often traverses from untrusted sources such as user inputs, external APIs, or network connections to the more trusted internals of the application.

A trust boundary violation arises when this transition allows unvalidated or improperly sanitized data to impact the application’s operations or security.

Here is a simplistic example:

from django.http import HttpResponse

def dummy(request):
    tainted = request.GET['super_secret']
    request.session['username'] = tainted  # FLAW

In the above example, the program takes input directly from the user and stores it into the session.

Remediation

To mitigate the risks of trust boundary violations, implement the following practices for secure handling of data across trust boundaries:

1. Input Validation: Ensure all inputs from untrusted sources are rigorously validated and sanitized before use. Implement input constraints like length checks, pattern matching, or using whitelists to enforce valid data formats.

2. Use Security Libraries: Leverage existing libraries that offer strong validation routines and error handling measures (e.g., Apache Commons Validator or OWASP Java Validator projects).

3. Error Handling: Implement robust error handling to gracefully handle and log exceptions caused by unexpected input, reducing exposure of error messages or stack traces that could provide insights to an attacker.

4. Principle of Least Privilege: Apply access controls and execute code with the least privileges necessary. Enforce stringent role-based access controls to minimize risk.

5. Static Analysis Tools: Utilize SAST tools to automate the detection of potential trust boundary vulnerabilities and integrate them into your continuous integration pipelines.

Configuration

The detector has the following configurable parameters:

  • sources, that indicates the source kinds to check.

  • neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

  • CWE-501 : Trust Boundary Violation.