Business Information Leak - Elixir

Business Information Leak - Elixir

Need

Prevention of unauthorized access to sensitive business data.

Context

  • Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
  • Usage of Phoenix Framework for building web applications

Description

Non compliant code

        def index(conn, _params) do
  users = Repo.all(User)
  render(conn, "index.json", users: users)
end
        
        

This Elixir code is a simple controller action in a Phoenix API that lists all the users in the database. The Repo.all(User) fetches all users' information from the database, including sensitive data such as usernames, employee information, client information, provider information, and strategic information. This is a business information leak vulnerability because it exposes sensitive business data without proper access control checks.

Steps

  • Implement proper access control checks before retrieving data from the database.
  • Restrict what information is sent to the client.
  • Consider using view models to control what data is sent to the client.

Compliant code

        def index(conn, _params) do
  user = get_current_user(conn)
  if user && user.role == 'admin'
    users = Repo.all(User)
    users = for user <- users, do: %{id: user.id, username: user.username}
    render(conn, "index.json", users: users)
  else
    conn |> put_status(:forbidden) |> json(%{message: 'Forbidden'})
  end
end
        
        

In this code, before we fetch any user data, we check if the currently authenticated user is an admin. If they are, we fetch the users but only return the id and username, removing any sensitive information. If the current user is not an admin, we return a 403 Forbidden response.

References