Description of Use Case / Requirement: Each ONAP project shall improve its CII Badging score by improving input validation and documenting it in their CII Badging site.

• Ensure that all GUIs and APIs perform bounds checking on input (input is not longer than expected)
• Ensure that all GUIs and APIs check input for unexpected characters (unexpected characters can be used to initiate an injection attack)

Owners (one of these should be the Assignee - use @ notation): TonyLHansen

Link to HLD/LLD (if any):

Dependency Relationships with Other Projects: All Projects

Project Impact (Test Only (TO), Code (C)): C

Support Status for each Affected Project (Supported (S); Partially Supported (P); Not Supported (N)):

Note: for any affected projects labeled 'P' or 'N', please document the resulting gaps.

Integration Leads (use @ notation): 

Company Engagement: 

DETAILED INFORMATION:

The "input_validation" CII question is:

The project results MUST check all inputs from potentially untrusted sources to ensure they are valid (a whitelist), and reject invalid inputs, if there are any restrictions on the data at all.

Note that comparing input against a list of 'bad formats' (aka a blacklist) is normally not enough, because attackers can often  work around a blacklist. In particular, numbers are converted into internal formats and then checked if they are between their minimum and maximum (inclusive), and text strings are checked to ensure that they are valid text patterns (e.g., valid UTF-8, length, syntax, etc.). Some data may need to be 'anything at all' (e.g., a file uploader), but these would typically be rare.

 Discussion

This question is about whether input from an outside source is verified before being used:

• Ensure that all GUIs and APIs perform bounds checking on input (input is not longer than expected)
• Ensure that all GUIs and APIs check input for unexpected characters (unexpected characters can be used to initiate an injection attack)
• If possible, use a “accept” list instead of a “deny” list

Examples of Answers from Projects that Already Answered

• Met The project strives to validate all input to functions. The inputs that are provided to the services are checked against existing models such as OXM or search-abstraction layer and only valid inputs are allowed to be pass through
• Met All inputs are checked while before requests are processed, both on the frontend side and the backend side.
• N/A it is an internal component of ONAP hence all comsumers [sic] can be trusted
• Met There are no inputs that are not part of the configuration of the Helm Charts. The configuration inputs would be validated by deployed application containers and not by OOM itself.
• Met SO projects validates its inputs against the pre-registered models from SDC and the bpmn recipies that are invoked later on. Any discrepency here would lead to a exception in the flow,

How to Answer the Question

Check how your applications are validating the inputs coming from external sources before making use of them.

The PTL should check their code base to make sure the inputs are validated.

You may delegate the checking of the code.

How to Update the CII Website

• Go to https://bestpractices.coreinfrastructure.org
• Click Projects
• Search for your project
• Click Login (at the top)
• Click Edit (at the top)
• Click the button that says [silver]
• Scroll to the bottom, click [v] Security
• Search for “input_validation”
• Fill in your answers
• Click one of the green buttons [Save (and continue)] or [Submit (and exit)]

This part should take about 5 minutes