← all rules

code/payment-amount-from-client-js

Payment tampering: charge amount taken from client input

highBusiness logicbusiness-logicCWE-840js

What it detects

A monetary field (amount, price, total, unit_amount, subtotal, discount) is taken directly from `req.body`/`req.query`. A client can then set its own price. Compute the amount server-side from trusted catalog/cart data before charging.

How it runs

Applied line-by-line on JS/TS and Python files (comments skipped). Flags input flowing into a trust decision — an ORM write, a privilege attribute, a charge amount, or a primary-key lookup — where an authorization/ownership check should exist. Conservative by design: confirm whether the check is present nearby.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.