Validate and Sanitize Incoming Data
Apply validation and sanitization for spring boot application
Every day, our web application manages user data. Our system receives a lot of data, which we store in the database. Not all of the incoming data is reliable or secure. Incoming data needs to be verified and cleaned up. In this article I will discuss how we can apply validation and sanitize our incoming data for a spring boot application. Lets begin.
There are a few sources where users can send data to our Spring Boot application.
- Request body
- Path variable
- File upload
I made a demo flow with a Person and Person controller to show how we can apply validation and sanitization. You will find the code here: https://github.com/olein/Java-AWS-RnD/tree/sanitization
Validate request object
I created a Person class that is working as a DTO.
And the Person controller
ModelValidator
You can see that I don’t use any setters in the Person class. Instead, I’m binding the request data using a constructor-based approach. I use a ModelValidator in my constructor to check whether any property violates any validation. Setup is required for ModelValidator. In my demo project, I shared the setup.
In my person class, I set few annotations over the fields. @NotBlank, @NotNull, @Pattern, @Min, @Max, @Positive, @Digits, @Email, @FutureOrPresent, @Past etc. There are a few more annotations that we can use for validating our DTOs. It makes the flow really easy to validate the data. We do not have to write validation code. See how easy it is to validate an email. The use of pattern is very powerful. We can apply any Regular Expression and reject the invalid data quickly with a proper error message.
In the demo project, I also setup how to manage global exception handling in case they come from constructors. I skipped the details here, but you will find the setup in the code.
Validate path variable
Path variables are commonly used in applications. We use ID primarily to query our database and update/delete/get data. In most cases, the ids are integers or UUIDs (a combination of digits and letters). We already know that the path variable will not contain any special characters or white space. In that case, the validator can be used.
In this case, my id is string and I will only allow letters and digits. Anything else will cause 404 error. Rejecting the request as fast as possible.
Sanitize incoming Html
Sometimes we may need to sanitize our incoming data for HTML. Let’s assume we have a description field that can have HTML tags and attributes. So there is a good chance that we can get some dirty data in the description field.
To reduce the risk of XSS attacks, we can use the Jsoup clean method. We need to add a maven dependency to make it work.
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<version>1.14.2</version>
</dependency>Person controller
I have added 3 examples here. We can add our trusted html tags and attributes to the safelist or we can use the basic safelist provided by the Jsoup library.
On the other hand, if we do not want to allow any html tags in our description field, we just need to use Safelist.none() and it will remove all the html tags from the text.
Validate Uploaded file
We must validate the file the user uploaded. There are quite a few security risks related to file upload. I am sharing a few key points that we should do while dealing with file upload.
- Validate the file format
- Set a maximum file upload limit.
- Do not use user generated filename. Use a random file name to upload a file to a server or cloud.
- If we need to use any library to read data from a file (xml, xlsx, etc), use the updated version of the library to avoid security risks.
These are few simple steps that we can apply to keep our application safe. We need to make sure we are not storing any unsafe data. Thank you for reading my article. I hope this will help. Best of luck 😊
