Fix Logic Flow Bypass in Yii
Logic flow bypasses in Yii frameworks typically manifest when developers rely on client-controlled parameters or inconsistent session states to manage multi-step processes. Attackers manipulate request variables to skip critical steps—like payment verification or MFA—and jump directly to the 'success' action. To harden the application, you must implement server-side state machines and strictly enforce transition logic via Yii's AccessControl and ActiveRecord state validation.
The Vulnerable Pattern
public function actionConfirmOrder($orderId, $bypass_payment = false) {
$order = Order::findOne($orderId);
// VULNERABILITY: Relying on a URL parameter ($bypass_payment) or inconsistent state
// An attacker can simply call /order/confirm-order?orderId=123&bypass_payment=1
if ($bypass_payment || $order->status == 'pending') {
$order->status = 'completed';
$order->save();
return $this->render('success');
}
}The Secure Implementation
The fix eliminates client-side influence over business logic transitions. First, it uses Yii's AccessControl filter to ensure the user is authenticated. Second, it scopes the database query to the authenticated user's ID to prevent IDOR-based flow bypass. Third, and most importantly, it replaces the optional '$bypass_payment' parameter with a strict server-side check against the 'Order' model's internal status. Only if the system has internally marked the order as 'payment_verified' can the code proceed to 'completed'. This ensures the logic flow is driven by trusted server-side data rather than mutable request parameters.
public function behaviors() { return [ 'access' => [ 'class' => \yii\filters\AccessControl::class, 'rules' => [['allow' => true, 'roles' => ['@']]], ], ]; }public function actionConfirmOrder($orderId) { // SECURE: Scope query to the current user and verify internal state only $order = Order::find()->where([‘id’ => $orderId, ‘user_id’ => Yii::$app->user->id])->one();
if (!$order) { throw new \yii\web\NotFoundHttpException('Order not found.'); } // SECURE: Enforce strict state machine transition if ($order->status !== Order::STATUS_PAYMENT_VERIFIED) { throw new \yii\web\ForbiddenHttpException('Illegal state transition: Payment required.'); } $order->status = Order::STATUS_COMPLETED; if ($order->save()) { return $this->render('success'); }
}
Your Yii API
might be exposed to Logic Flow Bypass
74% of Yii apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.