logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Lack of Data Validation - Numbers - Elixir

Need

Prevent transactions with invalid values to ensure business logic integrity

Context

  1. Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
  2. Usage of Phoenix Framework for request handling

Description

Insecure Code Example

defmodule MyAppWeb.TransactionController do
  use MyAppWeb, :controller

  def create(conn, params) do
    # No transaction value validation
    MyApp.create_transaction(params)
    send_resp(conn, 200, "Transaction created")
  end
end

This code is vulnerable because it doesn't validate the transaction value in 'params' before creating the transaction. An attacker can send a request with a lower transaction value, negatively impacting the business.

Steps

  1. Add a function to validate the transaction value in 'params' before creating the transaction.
  2. Before calling 'MyApp.create_transaction', call this validation function. If the validation fails, return an error response.

Secure Code Example

defmodule MyAppWeb.TransactionController do
  use MyAppWeb, :controller

  def create(conn, params) do
    if validate_transaction_value(params) do
      MyApp.create_transaction(params)
      send_resp(conn, 200, "Transaction created")
    else
      send_resp(conn, 403, "Invalid transaction value")
    end
  end

  defp validate_transaction_value(params) do
    # Implement your transaction value validation logic here
  end
end

This code is safe because it validates the transaction value before creating the transaction. If the request contains an invalid transaction value, it returns an error response instead of creating a transaction with an incorrect value.

References

  • 197 - Lack of Data Validation - Numbers

    • Last updated

    2023/09/18