search

beam-community / stripity-stripe

An Elixir Library for Stripe
Other
965 stars 344 forks source link

[Proposal] Make param from Stripe.Error to be a string instead of atom #800

Closed yordis closed 11 months ago

yordis commented 1 year ago

Notice that extra.params is an atom. In the worst case, people may be doing some Proxy, and you expose your service to a potential DDoS attack and create new atoms until you run out of Memory.

 %Stripe.Error{
   source: :stripe,
   code: :invalid_request_error,
   request_id: {"Request-Id", "req_unJcuRGfNFBuSb"},
   extra: %{
     card_code: :customer_tax_location_invalid,
     http_status: 400,
     param: :"customer_details[ip_address]", # notice here
     raw_error: %{
       "code" => "customer_tax_location_invalid",
       "doc_url" => "https://stripe.com/docs/error-codes/customer-tax-location-invalid",
       "message" => "We could not determine the customer's tax location based on the provided customer address.",
       "param" => "customer_details[ip_address]",
       "request_log_url" => "https://dashboard.stripe.com/test/logs/req_unJcuRGfNFBuSb?t=1683497407",
       "type" => "invalid_request_error"
     }
   },
   message: "We could not determine the customer's tax location based on the provided customer address.",
   user_message: nil
 }

Proposal

Prevent using atoms for extra.param

maartenvanvliet commented 1 year ago

+1 on this.

It's a potentially breaking change so the v3 release would be a good moment to introduce it.

yordis commented 1 year ago

Good idea!