Insecure Object Reference - Elixir

Insecure Object Reference - Elixir

Need

Prevent unauthorized access to user data

Context

  • Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications
  • Usage of Phoenix Framework for building web applications
  • Usage of Ecto ORM for data access

Description

Non compliant code

        def show(conn, %{'id' => id}) do
  user = Repo.get(User, id)
  render(conn, 'show.json', user: user)
end
        
        

The insecure code example takes an 'id' parameter from the incoming request and directly uses it to fetch the user data from the database. This means that an attacker can modify the 'id' in the request to access data of any user.

Steps

  • Avoid using direct references to internal objects.
  • Use session-based user authentication and associate this with the users' actions.
  • Instead of using the user-provided 'id', use the 'id' associated with the authenticated session.

Compliant code

        def show(conn, %{'id' => id}) do
  if conn.assigns.current_user.id == id do
    user = Repo.get(User, id)
    render(conn, 'show.json', user: user)
  else
    send_resp(conn, :forbidden, 'Access denied')
  end
end
        
        

In the secure code example, the server first checks whether the authenticated user's 'id' matches the 'id' in the request. If it does not, the server returns a '403 Forbidden' response. This ensures that users can only access their own data.

References