TL;DR: Treat unknown responses as unauthorized, not as valid.
Problems
Security risks
Ignoring unknown cases
Error Misinterpretation
Defaulting to valid states
Mismatch Authorizations
Failing to log events
Exploitation Potential
Solutions
Validate all responses against a closed set of known codes.
Default (and unknown) to unauthorized or Remove Defaults.
Log every mismatched or unexpected case for analysis.
Test with edge scenarios
Synchronize response pools with processors regularly to avoid outdated codes.
Focus on security making it a shift left process.
Design systems with change resilience to handle evolving scenarios.
Context
Today is computer security day and every programmer needs to acknowledge its responsibility.
Imagine an application handling sales that relies on response pools from credit card processors to handle transactions.
Each credit card processor provides predefined response codes for various situations, such as insufficient balance or expired cards.
The issue begins when a processor adds a new response code for denied transactions but doesn't notify the platform.
The application doesn't recognize the new code, defaults to treating it as "not found," and authorizes the purchase.
Users notice this flaw and exploit it to make unauthorized purchases.
The platform's revenue plummets, leading to bankruptcy.
Sample Code
Wrong
String response = paymentProcessor.authorize(cardDetails);
switch (response) {
case "DECLINED_INSUFFICIENT_FUNDS":
// Handle insufficient funds
break;
case "DECLINED_EXPIRED_CARD":
// Handle expired card
break;
default:
// Authorize purchase
break;
}
Right
String response = paymentProcessor.authorize(cardDetails);
switch (response) {
case "APPROVED":
// Authorize purchase
break;
case "DECLINED_INSUFFICIENT_FUNDS":
// Handle insufficient funds
break;
case "DECLINED_EXPIRED_CARD":
// Handle expired card
break;
case "DECLINED_NEW_REASON":
// Handle new declined reason
break;
default:
// Reject purchase (default case for unknown responses)
break;
}
Detection
[X] Manual
You can detect this smell by reviewing error-handling logic.
Check if the system logs and denies unrecognized cases.
Automated tests can help identify if new or unexpected inputs default to valid actions.
Static analysis tools can help by flagging potentially incomplete error handling.
Tags
Security
Level
[X] Intermediate
Why the Bijection Is Important
It's critical to maintain a one-to-one correspondence between your application's internal representation of payment processor responses and the actual codes returned by the processor.
When you break the Bijection, you create a mismatch.
The application interprets unknown codes incorrectly, leading to unexpected behavior, security holes, and potentially disastrous business consequences.
AI Generation
AI tools can create this smell if you don't specify how to handle unknown cases.
For example, generic error handling might default to benign outcomes like "not found" or "success."
AI Detection
AI generators can fix this smell when you instruct them to treat unknown cases as unauthorized and emphasize logging and testing unexpected scenarios.
Try Them!
Remember: AI Assistants make lots of mistakes
Without Proper Instructions
With Specific Instructions
Conclusion
Always handle unknown cases cautiously.
Defaults like "not found" can lead to severe security issues and financial losses.
Make logging and denying unknown responses part of your development practices.
Make shift-left decisions related to security while programming.
Relations
Code Smell 110 - Switches With Defaults
Code Smell 36 - Switch/case/elseif/else/if statements
Disclaimer
Code Smells are my opinion.
Credits
Photo by Nathana Rebouças on Unsplash
Incident description (in Spanish)
Assumptions are the mother of all failures.
Said Ouissal
Software Engineering Great Quotes
This article is part of the CodeSmell Series.