Remote File Inclusion - Elixir

Remote File Inclusion - Elixir

Need

Prevent execution of remote files to maintain application integrity and confidentiality of data.

Context

Usage of Elixir for building scalable and fault-tolerant applications
Usage of Plug and Cowboy for HTTP request and response handling
Usage of server to accept URLs or file paths from user inputs

Description

Non compliant code

        defmodule VulnerableApp do
  use Plug.Router

  plug :match
  plug :dispatch

  get '/' do
    filename = get_param(conn, 'filename')
    file_content = File.read!(filename)
    send_resp(conn, 200, file_content)
  end
end

This code includes a file specified by user input in the server's execution context, which could lead to Remote File Inclusion.

Steps

Don't allow file paths or URLs to be specified directly by user inputs.
Sanitize all user inputs to ensure they don't contain malicious code.
Use a safe method for handling files, such as storing file references in a database and retrieving them by ID.

Compliant code

        defmodule SecureApp do
  use Plug.Router

  plug :match
  plug :dispatch

  get '/' do
    file_id = get_param(conn, 'file_id')
    filename = lookup_filename(file_id)
    file_content = File.read!(filename)
    send_resp(conn, 200, file_content)
  end

  defp lookup_filename(file_id) do
    # Query database to retrieve file path by ID
  end
end

This code retrieves files in a safe manner by using a database of file references rather than directly including files from user inputs.

References

061. Remote File Inclusion