# Business Logic Bypass

- ID: python-business-logic-bypass
- Severity: HIGH
- CWE: CWE-840 (CWE-840)
- Languages: Python
- Frameworks: flask, fastapi, django

## Description

Detects client-controlled business-critical values (price, quantity, discount)
flowing to payment or business operations without server-side validation.

## Detection Message

Client-controlled value from {source} flows to {sink} without server-side calculation.

## Remediation

Calculate totals server-side using database prices instead of client values.

```python
@app.post('/checkout')
async def checkout(item_id: int, quantity: int):
    product = Product.query.get(item_id)
    total = product.price * quantity
    stripe.Charge.create(amount=total)
```

Learn more: https://shoulder.dev/learn/python/cwe-840/business-logic-bypass

## Documentation

[object Object]

## Related Rules

- **Business Logic Bypass** [HIGH]: 
- **Business Logic Bypass** [HIGH]: