class PaymentTagger

Overview

Flags payment / financial transaction endpoints. These routes carry direct monetary impact, so they are prime targets for business-logic flaws (amount/price tampering, currency confusion, negative amounts), IDOR on financial records, and replay. Surfacing them helps a reviewer focus on the highest-stakes surface.

Defined in:

tagger/taggers/payment.cr

Constant Summary

AMBIGUOUS_PATH_PARTS = Set {"charge", "charges", "transaction", "transactions", "subscription", "subscriptions", "withdraw", "transfer", "transfers", "deposit", "deposits", "wallet", "wallets", "order", "orders"}

Path segments that often — but not always — mean money: a DB "transaction", a newsletter/web-push "subscription", a battery "charge", a non-financial "withdraw"/"transfer", an unpaid "order". Require a corroborating money parameter before flagging.

MONEY_PARAM_NAMES = Set {"amount", "currency", "currency_code", "price", "total", "subtotal", "balance", "total_amount", "amount_due", "grand_total"}

Generic money parameters. Weak on their own (and so never trip the tagger by themselves), but enough to corroborate an ambiguous path.

STRONG_PARAM_NAMES = Set {"card_number", "cardnumber", "cc_number", "ccnumber", "cvv", "cvc", "cvv2", "cvn", "csc", "security_code", "card_security_code", "card_cvc", "card_expiry", "card_holder", "cardholder_name", "payment_method", "payment_method_id", "payment_method_nonce", "payment_intent", "setup_intent", "stripe_token", "paypal_token", "card_token", "iban", "routing_number", "sort_code"}

Parameter names that strongly imply payment handling on their own (card data, gateway tokens, payment-method references, bank details).

STRONG_PATH_PARTS = Set {"payment", "payments", "checkout", "billing", "invoice", "invoices", "refund", "refunds", "payout", "payouts", "withdrawal", "withdrawals", "paypal", "stripe", "braintree", "pay", "purchase", "purchases"}

Path segments that strongly imply a payment/financial surface. Matched as whole path segments after splitting on /, -, _, .. withdrawal(s) (the noun) stays here; the bare verb withdraw is ambiguous (withdraw an application/registration/bid) and lives below.

Constructors

Instance Method Summary

Instance methods inherited from class Tagger

name : String name, perform(endpoints : Array(Endpoint)) : Array(Endpoint) perform

Constructor methods inherited from class Tagger

new(options : Hash(String, YAML::Any)) new

Constructor Detail

def self.new(options : Hash(String, YAML::Any)) #

[View source]

Instance Method Detail

def perform(endpoints : Array(Endpoint)) #

[View source]