beetle on green leaf

Killing Classes of Bugs with Refined Types

Omer Levi Hevroni
A lot of application security defence mitigation fall into validation and sanitization. Many nasty bugs like XSS, SQLi, command injection etc can be avoided by just doing good input validation. Problem is – input validation is boring, and also – sometimes pretty complex. But it doesn’t have to be that way – and this is where using a language like Scala can help us out. Let’s see how!

The problem with Typescript

Typescript is an amazing language: All the good of JavaScript, with proper typing systems. This is why for a very long time, Typescript was my prefered language for a very long time. The problem is, Typescript typing are artificial – they are enforced only on “compile” time – when compiling the Typescript code to Javascript. Let’s take a look at one example:
Demoing TS typing problem - see: https://gist.github.com/omerlh/504c0050736df8a600a67b5f56641c2d#file-demo-ts
Demoing TS Typing Problem
What will happen?
Well, surprisingly (at least for me) this is a valid code. It will “compile” and run without any errors – printing string as the result.
So, apparently, if we write our server in Typescript we cannot even trust the types of data we receive! We might have a strongly typed interface defined for the user input – but those are only on “compile” time. And this makes the challenge of input validation even harder.

Scala?

Scala (like Kotlin) is yet another language that compiles to Java bytecode and can run on JVM. It has many benefits, especially “many of Scala’s design decisions are aimed to address criticisms of Java.[7] (according to wikipedia)
Well, that’s a good start for a language, right? We all hate Java, so Scala should be a good thing!
Anyhow, recently I started to look into Scala (thank you Baden Delamore for showing me the light!). Not like Typescript, Scala has a real typing system, so issues like the one we just saw in Typescript are irrelevant. But this is not all. Using Refined, we can embed input validation into our typing system. Let’s see an example!
Refined Types Example: https://gist.github.com/omerlh/504c0050736df8a600a67b5f56641c2d
Example of Refined Types
Using Refined, we can define our custom types with the required input validation – and move all the mess of input validation to the edge. Now, if I will try to pass a user email that is invalid, the JSON serialization will fail – results in 400 bad request status code. When writing my code, I can focus only on the logic, without the need to worry about input validation.
And it is even more powerful – Refined types can be used for any input you can handle. For example, the popular ORM [Slick](https://scala-slick.org/) has support for Refined types – meaning, you can always trust the data you are fetching from your database.

Wrapping Up

Refined types help us kill classes of bugs just by well defining our typing systems. It has also other benefits, as well defined types (vs using arbitrary Strings everywhere) makes the code clearer and reduced bugs. This is exciting news both for us, Application Security Engineers and for developers, as it could free us all to focus on other, more exciting news.
Does it mean we all have to start writing Scala? Not necessary. The same thing can be done with any language that supports a real typing system (as in “Not Typescript”). Which language are you using? Maybe it has a similar library to Refined? Make sure to let me know!

Leave a Reply

Your email address will not be published. Required fields are marked *