Metastatic.Analysis.BusinessLogic.ImproperInputValidation (Metastatic v0.10.4)

View Source

Detects improper input validation patterns (CWE-20).

This analyzer identifies code patterns where user input is used in sensitive operations without apparent validation or sanitization.

Cross-Language Applicability

Input validation is a universal security requirement:

  • Elixir: Using params directly without changeset validation
  • Python: Using request.args without validation
  • JavaScript: Using req.body without schema validation
  • Ruby: Using params without strong parameters
  • Java: Using request parameters without Bean Validation
  • C#: Using model binding without DataAnnotations

Problem

When input is not validated:

  • Type confusion vulnerabilities
  • Buffer overflows (in some languages)
  • Logic flaws from unexpected values
  • Injection attacks (SQL, command, etc.)
  • Denial of service through malformed input

Detection Strategy

Detects patterns where:

  1. User input is used directly in operations
  2. No validation function calls are apparent
  3. No schema/changeset validation is used
  4. Input flows to sensitive operations