OWASP Top Ten and anvil

Tony.Nguyen · May 8, 2020, 6:20pm

It seems that the OWASP Top Ten is not addressed in this document.
https://anvil.works/docs/security#building-secure-apps

Should I validate user input or anvil does it automatically?

p.colbert · May 8, 2020, 7:10pm

Your code should validate user input, both at the browser, and at the server. (Browser-side code can be compromised, if the user is clever enough. But the user doesn’t have access to your server-side code.)

I find “automatic validation” to be a terrible term. No system is going to “automatically” know your application’s rules. The rules have to be spelled out, somewhere, by someone who knows them. If someone does that in a format that your app can directly use (i.e., Python code), then that helps a lot.

Tony.Nguyen · May 9, 2020, 2:25am

Hi @p.colbert, thanks for your reply.
It isn’t business logic validation, but security input one against SQL injection, Cross-Site Scripting (XSS)…

p.colbert · May 10, 2020, 7:42pm

Anvil was built with these general concerns in mind, but not as a direct response to that particular site. I wouldn’t expect Anvil’s documentation to address their Top Ten point-by-point.

That said, as long as your data access uses only Anvil’s built-in database wrapper, you should not have to worry about SQL injection. Anvil’s own behind-the-scenes code takes that very seriously, and does that work for you.

If you write your app so that it creates its own SQL queries directly, and some database uses those queries, then you do have to craft your query-generation code very carefully.

And if some user gives his name as Robert'); DROP TABLE students;--, I’d disable that user’s account, no matter how my database was protected.