Lack of Data Validation - Numbers

Need

Prevent transactions with invalid values to ensure business logic integrity

Context

Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
Usage of Phoenix Framework for request handling

Description

Non compliant code

defmodule MyAppWeb.TransactionController do
  use MyAppWeb, :controller

  def create(conn, params) do
    # No transaction value validation
    MyApp.create_transaction(params)
    send_resp(conn, 200, "Transaction created")
  end
end

This code is vulnerable because it doesn't validate the transaction value in 'params' before creating the transaction. An attacker can send a request with a lower transaction value, negatively impacting the business.

Steps

Add a function to validate the transaction value in 'params' before creating the transaction.
Before calling 'MyApp.create_transaction', call this validation function. If the validation fails, return an error response.

Compliant code

defmodule MyAppWeb.TransactionController do
  use MyAppWeb, :controller

  def create(conn, params) do
    if validate_transaction_value(params) do
      MyApp.create_transaction(params)
      send_resp(conn, 200, "Transaction created")
    else
      send_resp(conn, 403, "Invalid transaction value")
    end
  end

  defp validate_transaction_value(params) do
    # Implement your transaction value validation logic here
  end
end

This code is safe because it validates the transaction value before creating the transaction. If the request contains an invalid transaction value, it returns an error response instead of creating a transaction with an incorrect value.

References

197.Lack of data validation - Numbers

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​