Automatic Information Enumeration - Credit Cards
Need
To prevent the listing and exposure of credit card information by implementing proper validation.
Context
- Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
- Usage of Ecto (3.6.2 and above) for database query and manipulation
- Usage of Plug (1.11.1 and above) for building composable web applications in Elixir
Description
Non compliant code
defmodule MyApp.PaymentController do
use MyApp.Web, :controller
def create(conn, %{"card" => card_params}) do
{:ok, card} = MyApp.Card.create_card(card_params)
render(conn, "card.json", card: card)
end
end
This code is vulnerable because there's no validation of the expiration date and security code of the credit card. This lack of validation could allow an attacker to list credit card information.
Steps
- Implement validation for the expiration date and security code in the card creation function.
- Install a credit card validation library if available.
Compliant code
defmodule MyApp.PaymentController do
use MyApp.Web, :controller
def create(conn, %{"card" => card_params}) do
with :ok <- MyApp.Card.validate_card(card_params),
{:ok, card} <- MyApp.Card.create_card(card_params) do
render(conn, "card.json", card: card)
else
_ -> send_resp(conn, :bad_request, "Invalid card information.")
end
end
end
In this secure code example, we've added a card validation step using the validate_card function. This function checks the expiration date and security code of the credit card before creating it.