GuardAPI Logo
GuardAPI

Fix Logic Flow Bypass in Hanami

Logic flow bypass in Hanami typically manifests when actions assume a prerequisite state without server-side verification. Attackers skip steps in a multi-stage process (like checkout or password resets) by hitting endpoints out of order. To secure this, we must implement strict state guards and transition validation within the Action lifecycle.

The Vulnerable Pattern

module Web::Actions::Checkout
  class Complete
    include Web::Action
    def call(params)
      # VULNERABLE: Assumes the user has paid just because they reached this endpoint
      order = OrderRepository.new.find(params[:order_id])
      OrderRepository.new.update(order.id, status: 'completed')
      self.body = 'Order processed successfully'
    end
  end
end

The Secure Implementation

The vulnerable code lacks state awareness, allowing an attacker to finalize any order by guessing an ID. The secure version implements a 'Fail-Closed' pattern: it validates parameter types, verifies resource ownership (preventing IDOR), and explicitly checks the 'order.status' against the required 'paid' state before allowing the transition to 'completed'. By halting the execution flow early if conditions aren't met, we prevent the logic bypass.

module Web::Actions::Checkout
  class Complete
    include Web::Action
    params do
      required(:order_id).filled(:int?)
    end
    def call(params)
      halt 400 unless params.valid?
      repo = OrderRepository.new
      order = repo.find(params[:order_id])

  # SECURE: Enforcement of state machine logic and ownership
  halt 404 if order.nil?
  halt 403 unless order.user_id == current_user.id
  
  unless order.status == 'paid'
    halt 422, 'Logic Error: Order must be paid before completion'
  end

  repo.update(order.id, status: 'completed')
  self.body = 'Order finalized'
end


end
end

System Alert • ID: 8880
Target: Hanami API
Potential Vulnerability

Your Hanami API might be exposed to Logic Flow Bypass

74% of Hanami apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X