Integer Overflow Vulnerability in AddToCart Method (CVE-2024-50944)

[AbdullahAlmutawa]

Description

The AddToCart method in CartService.cs is vulnerable to an integer overflow when calculating the quantity of items in the cart. This issue allows an attacker to manipulate the total price of items in the cart, leading to unauthorized discounts or negative pricing.

Steps to Reproduce (PoC)

1. Add a product to the cart with a quantity of 2,147,483,647 (maximum value for a 32-bit signed integer).
2. Add one more of the same product to the cart.
3. Observe the quantity and total price. If they turn negative, it confirms that the application is vulnerable to integer overflow.
   To further demonstrate the vulnerability, please refer to the following YouTube video: https://www.youtube.com/watch?v=1s-0iedNtV4

Suggested Fix

Vulnerable Code in CartService.cs:

 public async Task<AddToCartResult> AddToCart(long customerId, long productId, int quantity)
        {
            var addToCartResult = new AddToCartResult { Success = false };

            if (quantity <= 0)
            {
                addToCartResult.ErrorMessage = _localizer["The quantity must be larger than zero"].Value;
                addToCartResult.ErrorCode = "wrong-quantity";
                return addToCartResult;
            }

            var cartItem = await _cartItemRepository.Query().FirstOrDefaultAsync(x => x.ProductId == productId && x.CustomerId == customerId);
            if (cartItem == null)
            {
                cartItem = new CartItem
                {
                    CustomerId = customerId,
                    ProductId = productId,
                    Quantity = quantity,
                    CreatedOn = DateTimeOffset.Now
                    //TODO add vendor id to cartitem
                };

                _cartItemRepository.Add(cartItem);
            }
            else
            {
                cartItem.Quantity = cartItem.Quantity + quantity;
            }

            await _cartItemRepository.SaveChangesAsync();

            addToCartResult.Success = true;
            return addToCartResult;
        }

This bug can be easily fixed by verifying that the quantity the user wants to add + the quantity already in the cart is less than the available stock quantity. If this condition is not met, the addition should be rejected. Otherwise, the operation will succeed, as the store's stock will not exceed 2,147,483,647 products.
There are a lot of other solutions, but that is what I suggest for now.

Useful Links

https://cwe.mitre.org/data/definitions/190.html
https://github.com/AbdullahAlmutawa/CVE-2024-50944

[hishamco]

Thanks for reporting this @AbdullahAlmutawa, do you plan to create a PR or should I do it so quick

[AbdullahAlmutawa]

That fix works fine, thanks @hishamco.