Lack of Data Validation - Numbers
Need
Prevent transactions with invalid values to ensure business logic integrity
Context
- Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
- Usage of Phoenix Framework for request handling
Description
Non compliant code
defmodule MyAppWeb.TransactionController do
use MyAppWeb, :controller
def create(conn, params) do
# No transaction value validation
MyApp.create_transaction(params)
send_resp(conn, 200, "Transaction created")
end
end
This code is vulnerable because it doesn't validate the transaction value in 'params' before creating the transaction. An attacker can send a request with a lower transaction value, negatively impacting the business.
Steps
- Add a function to validate the transaction value in 'params' before creating the transaction.
- Before calling 'MyApp.create_transaction', call this validation function. If the validation fails, return an error response.
Compliant code
defmodule MyAppWeb.TransactionController do
use MyAppWeb, :controller
def create(conn, params) do
if validate_transaction_value(params) do
MyApp.create_transaction(params)
send_resp(conn, 200, "Transaction created")
else
send_resp(conn, 403, "Invalid transaction value")
end
end
defp validate_transaction_value(params) do
# Implement your transaction value validation logic here
end
end
This code is safe because it validates the transaction value before creating the transaction. If the request contains an invalid transaction value, it returns an error response instead of creating a transaction with an incorrect value.