Credit Balance Inflation

Medium+100 XPA08:2021 Software and Data Integrity FailuresCWE-915

Mass AssignmentFinancialWallet

Scenario

Your platform lets users personalise their wallet — rename it, change the display currency. The wallet-update endpoint however passes the entire request body straight into the update handler.

An attacker includes a 'balance' field in the update request and sets it to an arbitrarily large number, giving themselves free credit.

Allowing balance modifications through mass assignment is equivalent to giving every user a direct database write. Even small oversights here can cost a business significant money.

Your Tasks

Fix updateWallet so that only 'displayName' and 'currency' can be changed. The 'balance' field — and any other field — must be ignored.

Examples

Example 1 — Balance inflation blocked

updateWallet('u1', { balance: 999999 }, accounts)
// returns wallet with original balance

Constraints

›Throw exactly 'Not found' when no wallet exists for userId
›Return the updated wallet object
›balance must never change via this function

Hint

References

https://owasp.org/www-project-top-ten/2021/A08_2021-Software_and_Data_Integrity_Failures https://cwe.mitre.org/data/definitions/915.html

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run