Lack of data validation

[disconnect3d]

The code does not perform any data validation of the arguments passed into given API methods, which may cause different operations to be triggered if the data is controlled by an untrusted party.

As an example, if the app_id passed into the Apps.delete_app method is controlled by an attacker, they can trigger a DELETE http request into any other endpoint as the final url is constructed as:

simpleMDMpy/SimpleMDMpy/Apps.py

Lines 46 to 50 in 5221aa3

	def delete_app(self, app_id):
	"""delete an app"""
	url = self.url + "/" + app_id
	data = {}
	return self._delete_data(url, data) #pylint: disable=too-many-function-args

This may allow e.g. to trigger a ManagedAppConfigs.delete_config case if the attacker would know both app_id and managed_config_id.

While this case may not be a good attack example, since none of the arguments are validated, this can be true for any other HTTP method and endpoint used. Additionally, the untrusted input can also traverse the paths upper with "../some_other_endpoint/" and most likely to make the MDM backend server to ignore a given path suffix. For example in:

url = self.url + "/" + app_id + "/managed_configs/" + managed_config_id

We can provide app_id = "some_path#" or app_id = "some_path?a=" since the other server most likely doesn't care about additional query params or anchor marker in URLs.

[MagerValp]

I'm not sure I agree that this is the responsibility of SimpleMDMpy, but I am thinking about reworking url construction which would be a place to insert this. Do you have any examples of other libraries that perform validation?