Skip to main content

Positive integer validation

Description

refers to a security or software feature where inputs are checked to ensure they are positive integers. This type of validation is crucial in many applications, such as financial software, data processing, or user input forms, to prevent errors or security vulnerabilities like SQL injection or buffer overflows. By validating inputs as positive integers, the system ensures it receives data in the expected format and range, safeguarding against malicious inputs or unintended operations.

Remediation

To ensure positive integer validation, implement the following remediation steps:

  1. Check if the input is an integer using a type-checking function or method specific to your programming language (e.g., isinstance(input, int) in Python).
  2. Verify that the integer is greater than zero by comparing it with zero (e.g., input > 0).
  3. If the input fails either check, reject it and prompt the user for a valid positive integer.
  4. Use built-in functions or regular expressions to prevent non-numeric data entry if the input is received as a string.
  5. Consider using exception handling to catch any errors that occur during the input validation process.
  6. If the input is part of a web form, use client-side validation with JavaScript to provide immediate feedback, but always validate on the server-side as well to ensure security.
  7. Sanitize the input to prevent SQL injection or other forms of attacks if the data will interact with a database or other critical components.
  8. Provide clear error messages to guide the user towards entering a valid positive integer.
  9. Log validation failures when appropriate to monitor for unusual activity or repeated invalid inputs.
  10. Regularly review and update the validation logic to handle edge cases and new threat vectors.

GraphQL Specific

Apollo

Ensure that all user inputs are validated to accept only positive integers. Implement server-side checks to prevent invalid or malicious data from being processed. Use built-in functions or custom logic to verify that the input matches the expected format and range before using it within the Apollo framework engine.

Yoga

To ensure positive integer validation in the Yoga framework engine, implement input validation checks that verify the provided value is an integer and greater than zero. Use built-in validation functions or custom logic to enforce this rule before processing the input.

Awsappsync

Ensure that AWS AppSync resolvers validate input arguments to confirm they are positive integers where required. Implement custom validation logic within resolver mapping templates or leverage AWS AppSync pipeline resolvers to modularize validation as a distinct function before processing the business logic.

Graphqlgo

Ensure that the GraphQL Go framework engine validates that all inputs expected to be positive integers are indeed positive integers before processing. Implement checks either through custom scalar types that enforce the positive integer constraint or by adding validation logic in the resolver functions. This will help prevent invalid data from being processed and mitigate potential vulnerabilities such as integer overflow or unexpected behavior due to negative numbers or non-integer values.

Graphqlruby

In the GraphQL Ruby framework, ensure that any fields accepting positive integers are strictly validated. Use custom scalar types to define what constitutes a valid positive integer and reject any input that does not meet these criteria. Additionally, consider implementing range checks to prevent integer overflows and ensure that the values fall within the acceptable limits for your application's context.

Hasura

To ensure positive integer validation in Hasura, define a check constraint on the integer column within your Postgres database that enforces the value to be greater than zero. This can be done directly in the table's definition using SQL or through the Hasura console by adding a check constraint in the 'Modify' tab of the table. Additionally, use Hasura's permission system to validate the input on insert and update operations by setting up custom check expressions that allow only positive integers.

REST Specific

Asp_net

In ASP.NET, ensure that all user-provided inputs are validated using built-in functions like int.TryParse() for converting strings to integers and checking for positive values. Implement custom validation logic where necessary and use parameterized queries or ORM frameworks to interact with databases securely.

Ruby_on_rails

In Ruby on Rails, ensure positive integer validation by using Active Record validations such as validates_numericality_of with options only_integer: true and greater_than: 0. Additionally, use strong parameters to permit only the necessary inputs and employ parameterized queries to protect against SQL injection.

Next_js

In Next.js, ensure all user-provided inputs that are expected to be positive integers are strictly validated using built-in JavaScript functions like parseInt() combined with additional checks for NaN, non-integer values, and negative numbers. Implement middleware or custom hooks that sanitize and validate all incoming data before processing. For server-side APIs, use a library like express-validator to define validation schemas that enforce positive integer constraints.

Laravel

In Laravel, use the 'integer' and 'min:1' validation rules within your validation logic to ensure that inputs are positive integers. Apply these rules in form requests or controller methods using the Validator facade or the 'validate' method provided by the framework.

Express_js

In Express.js, ensure positive integer validation by using middleware that checks request parameters, query strings, or body data. Utilize libraries like express-validator to define custom validation chains for route parameters, applying checks such as .isInt({ gt: 0 }) to guarantee that the values are positive integers before they reach your route handlers.

Django

In Django, ensure positive integer validation by using forms with 'IntegerField' and setting 'min_value=1' to enforce the input as a positive integer. Additionally, use Django's built-in ORM methods and avoid raw SQL to protect against injection attacks.

Symfony

In Symfony, use the 'Assert' library for input validation. Apply the 'Positive' constraint to ensure the value is a positive integer, and use 'Type' constraint with 'integer' as the type option. Combine this with proper form validation to prevent invalid or malicious data from being processed.

Spring_boot

In Spring Boot, ensure positive integer validation by using the @Min(1) annotation on your controller method parameters or DTO fields to enforce that the value is a positive integer. Additionally, use @Valid or @Validated to trigger the validation process. For enhanced security, combine this with strong type checking and handle any MethodArgumentNotValidException exceptions to return appropriate error responses.

Flask

In Flask, use the 'request' object to access form data and employ the 'wtforms' library with 'IntegerField' and custom validation to ensure inputs are positive integers. Additionally, apply 'Flask-WTF' CSRF protection for secure form handling.

Nuxt

In Nuxt.js, ensure all user-provided inputs that are expected to be positive integers are validated using built-in validation rules or custom middleware. Utilize libraries like express-validator for server-side validation and vee-validate for client-side validation to check the input before processing. Always sanitize and cast inputs to integers using parseInt with a radix of 10 to prevent type coercion vulnerabilities.

Fastapi

In FastAPI, use Pydantic models to define expected data structures with fields typed as 'PositiveInt' for automatic validation of positive integer inputs. Combine this with dependency injection to further secure endpoints against invalid data.

Configuration

Identifier: schema/positive_integer_validation

Examples

Ignore this check

checks:
  schema/positive_integer_validation:
    skip: true

Score

  • Escape Severity: INFO

Compliance

  • OWASP: API8:2023

  • pci: 6.5.1

  • gdpr: Article-32

  • soc2: CC1

  • psd2: Article-95

  • iso27001: A.14.2

  • nist: SP800-53

  • fedramp: AC-6

Classification

  • CWE: 20

Score

  • CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
  • CVSS_SCORE: 0.1