Skip to content

Security Enhancements #97

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 11, 2025
Merged

Security Enhancements #97

merged 4 commits into from
Apr 11, 2025

Conversation

A-Sattari
Copy link
Contributor

🛡️ Input Sanitization & Security Hardening

Purpose of the Change

This change introduces input sanitization mechanisms to the handling of user-influenced strings like backupName and query. These values are passed into APIs, UI keys, local storage, and internal logic. To ensure application resilience and reduce potential abuse vectors, we sanitize them to:

  • Remove potentially dangerous characters
  • Limit the input length
  • Ensure only safe and expected data is used throughout the application

⚙️ What has changed

1. _sanitizePlaceName() added to _HomePageState

Used to clean the backupName field before it's used in API calls, logic branches, and UI widgets.

2.LocationService is created following best practices to to improve code readability and maintenance

3. _sanitizeQuery() added to LocationService

Used to clean the query parameter before being passed to weatherapi or OM APIs.

These functions ensure only:

  • Word characters (a-zA-Z0-9_)
  • Spaces
  • Commas
  • Dashes
    are accepted. Also, no more than 100 characters are processed to void Buffer overflows from extremely long inputs.

4. Using Uri.Https() instead of Uir.Http() that aligns with OWASP guidelines. Sensitive Data Exposure (OWASP Mobile Top 10: M1) and Insecure Communication (OWASP Mobile Top 10: M3).

📊 Impact of the Change

High-risk areas existed because:

  • User input was passed unfiltered to API calls and dynamic widgets
  • Special characters could break APIs or introduce unexpected behavior
  • Excessively long strings could trigger crashes or logic failures

However, there was no critical vulnerabilities like RCE or injection, because:

  • No direct string concatenation into shell commands or file writes occurred
  • Third-party API calls used structured query params (e.g., Uri.https)

That said, failure to sanitize is still a high-risk code smell and leaves open potential for:

  • Service disruption (DoS)
  • Information leakage via cache/log poisoning
  • Inconsistent app behavior across locales and edge cases

📚 OWASP Mobile Top 10 Compliance

These changes align with best practices and mitigate risks outlined in the OWASP Mobile Top 10.

@bmaroti9
Copy link
Owner

Cool! Thanks!

@bmaroti9 bmaroti9 merged commit 7f54b48 into bmaroti9:master Apr 11, 2025
@A-Sattari A-Sattari deleted the security-enhancements branch April 12, 2025 21:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@A-Sattari @bmaroti9