Need

Prevent transactions with invalid values to ensure business logic integrity

Context

• Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
• Usage of Phoenix Framework for request handling

Description

Non compliant code

        defmodule MyAppWeb.TransactionController do
  use MyAppWeb, :controller

  def create(conn, params) do
    # No transaction value validation
    MyApp.create_transaction(params)
    send_resp(conn, 200, "Transaction created")
  end
end
        
        

This code is vulnerable because it doesn't validate the transaction value in 'params' before creating the transaction. An attacker can send a request with a lower transaction value, negatively impacting the business.

Steps

• Add a function to validate the transaction value in 'params' before creating the transaction.
• Before calling 'MyApp.create_transaction', call this validation function. If the validation fails, return an error response.

Compliant code

        defmodule MyAppWeb.TransactionController do
  use MyAppWeb, :controller

  def create(conn, params) do
    if validate_transaction_value(params) do
      MyApp.create_transaction(params)
      send_resp(conn, 200, "Transaction created")
    else
      send_resp(conn, 403, "Invalid transaction value")
    end
  end

  defp validate_transaction_value(params) do
    # Implement your transaction value validation logic here
  end
end
        
        

This code is safe because it validates the transaction value before creating the transaction. If the request contains an invalid transaction value, it returns an error response instead of creating a transaction with an incorrect value.

References

• 197. Lack of data validation - Numbers