Weather Witness
First Flight #40
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: medium
Invalid

[EVMNINJA-WW09] Missing Input Validation for User-Supplied Parameters

evmninja

Root + Impact

Description

The code does not validate the inputs (args[0] and args[1]) before using them in the API request. Without validation, malformed inputs could cause unexpected behavior or potentially expose the system to injection attacks if these parameters are used in ways not shown in this snippet.

params: { zip: `${args[0]},${args[1]}`, appid: secrets.apiKey }

Risk

Likelihood:

Medium - Depends on how the function is called and what controls exist upstream.

Impact:

Medium - Could lead to application errors or unexpected behavior.

Proof of Concept

Recommended Mitigation

Implement proper input validation for all parameters.

// Validate inputs before using them
if (!args[0] || typeof args[0] !== 'string' || !args[1] || typeof args[1] !== 'string') {
throw Error("Invalid zip code or country code format")
}
// Regex for basic zip code validation (adjust based on expected format)
const zipRegex = /^\d{5}(-\d{4})?$/
if (!zipRegex.test(args[0])) {
throw Error("Invalid zip code format")
}
const geoCodingRequest = Functions.makeHttpRequest({
url: "https://api.openweathermap.org/geo/1.0/zip",
method: "GET",
params: { zip: `${args[0]},${args[1]}`, appid: secrets.apiKey }
})
Updates

Appeal created

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[Invalid] Lack of input validation in `requestMintWeatherNFT`

This is informational. It is user's responsibility to provide correct input arguments. If the user provides incorrect arguments, it will lead to incorrect results, lost funds or failed transaction.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.