Fix Logic Flow Bypass in Camping

Logic flow bypasses in Camping micro-apps typically occur when developers rely on implicit routing sequences or client-side state to enforce business logic. In these scenarios, an attacker can skip critical middleware or validation steps (like payment or MFA) by directly hitting the terminal URI. To harden Camping, you must implement explicit server-side state verification at every sensitive endpoint.

The Vulnerable Pattern

module CampingApp::Controllers
  class Checkout < R '/checkout'
    def post
      @state.cart_processed = true
      redirect Payment
    end
  end
class Payment < R ‘/payment’
def post
# Assume payment logic happens here
@state.paid = true
redirect Receipt
end
end
class Receipt < R ‘/receipt’
def get
# VULNERABILITY: Only checks if user is logged in
# Attacker can browse directly to /receipt to bypass payment
if @state.user_id
render :thank_you
else
redirect Login
end
end
end
end

The Secure Implementation

The bypass occurs because the /receipt controller assumes the user reached it via the /payment POST handler. A 'hacker' simply ignores the intended UI flow and requests the final URI. The fix involves implementing a server-side state check (e.g., @state.paid) that is only set upon successful completion of the prerequisite step. For high-assurance flows, use a one-time cryptographic nonce or a transition token stored in the session that is invalidated immediately after the protected action is performed.

module CampingApp::Controllers
  class Receipt < R '/receipt'
    def get
      # SECURE: Strict state machine validation
      # Verify the specific business logic flag and clear it after use
      if @state.user_id && @state.paid == true
        @state.paid = false # Consume the 'paid' state
        render :thank_you
      else
        @state.error = 'Invalid flow sequence.'
        redirect Checkout
      end
    end
  end
end