Lack of Data Validation

Lack of Data Validation - Numbers

Need

Prevent transactions with invalid values to ensure business logic integrity

Context

• Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications

• Usage of Phoenix Framework for request handling

Description

1. Non compliant code

defmodule MyAppWeb.TransactionController do
  use MyAppWeb, :controller

  def create(conn, params) do
    # No transaction value validation
    MyApp.create_transaction(params)
    send_resp(conn, 200, "Transaction created")
end...

This code is vulnerable because it doesn't validate the transaction value in 'params' before creating the transaction. An attacker can send a request with a lower transaction value, negatively impacting the business.

2. Steps

• Add a function to validate the transaction value in 'params' before creating the transaction.

• Before calling 'MyApp.create_transaction', call this validation function. If the validation fails, return an error response.

3. Secure code example

defmodule MyAppWeb.TransactionController do
  use MyAppWeb, :controller

  def create(conn, params) do
    if validate_transaction_value(params) do
      MyApp.create_transaction(params)
      send_resp(conn, 200, "Transaction created")
      send_resp(conn, 403, "Invalid transaction value")...

This code is safe because it validates the transaction value before creating the transaction. If the request contains an invalid transaction value, it returns an error response instead of creating a transaction with an incorrect value.

References

• 197. Lack of Data Validation - Numbers

On this page