Need

To prevent the listing and exposure of credit card information by implementing proper validation.

Context

• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
• Usage of Ecto (3.6.2 and above) for database query and manipulation
• Usage of Plug (1.11.1 and above) for building composable web applications in Elixir

Description

Non compliant code

        defmodule MyApp.PaymentController do
  use MyApp.Web, :controller

  def create(conn, %{"card" => card_params}) do
    {:ok, card} = MyApp.Card.create_card(card_params)
    render(conn, "card.json", card: card)
  end
end
        
        

This code is vulnerable because there's no validation of the expiration date and security code of the credit card. This lack of validation could allow an attacker to list credit card information.

Steps

• Implement validation for the expiration date and security code in the card creation function.
• Install a credit card validation library if available.

Compliant code

        defmodule MyApp.PaymentController do
  use MyApp.Web, :controller

  def create(conn, %{"card" => card_params}) do
    with :ok <- MyApp.Card.validate_card(card_params),
         {:ok, card} <- MyApp.Card.create_card(card_params) do
      render(conn, "card.json", card: card)
    else
      _ -> send_resp(conn, :bad_request, "Invalid card information.")
    end
  end
end
        
        

In this secure code example, we've added a card validation step using the validate_card function. This function checks the expiration date and security code of the credit card before creating it.

References

• 254. Automatic information enumeration - Credit Cards