Fix Business Logic Errors in Sinatra
Business logic errors are the silent killers in Sinatra apps. Unlike SQLi or XSS, automated scanners usually miss these because they aren't syntax violations—they are flaws in the application's intended flow. If you trust the client to define identity, price, or state transitions, you've already lost. In Sinatra's minimalist environment, the burden of enforcing these rules lies entirely on the developer's middleware and route logic.
The Vulnerable Pattern
post '/api/v1/account/withdraw' do # VULNERABLE: Trusting user-supplied ID and failing to validate state user = User.find(params[:user_id]) amount = params[:amount].to_f
user.balance -= amount user.save { status: ‘success’, new_balance: user.balance }.to_json end
The Secure Implementation
The vulnerable code exhibits three major logic flaws: 1. IDOR (Insecure Direct Object Reference): It trusts the 'user_id' from the request body, allowing any user to withdraw from any account. 2. Lack of Value Validation: It doesn't check if the amount is negative, which would actually credit the account. 3. Race Conditions: It lacks atomicity; two simultaneous requests could bypass balance checks. The secure version fixes this by sourcing identity from the encrypted session, validating the business rules (non-negative, sufficient funds), and using database-level locking to ensure integrity during concurrent access.
post '/api/v1/account/withdraw' do # SECURE: Identity from session, strict input validation, and atomic operations content_type :json halt 401, { error: 'Unauthorized' }.to_json unless session[:user_id]user = User.find(session[:user_id]) amount = params[:amount].to_f
Logic Check: Prevent negative withdrawals or overdrafts
halt 400, { error: ‘Invalid amount’ }.to_json if amount <= 0 halt 400, { error: ‘Insufficient funds’ }.to_json if user.balance < amount
Use database transactions to prevent race conditions
User.transaction do user.lock! # Pessimistic locking to prevent double-spending user.update!(balance: user.balance - amount) end
{ status: ‘success’, new_balance: user.balance }.to_json end
Your Sinatra API
might be exposed to Business Logic Errors
74% of Sinatra apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.