Technical Information Leak - Console Functions - Elixir

Technical Information Leak - Console Functions - Elixir

Need

Avoid leaking technical information via console functions

Context

  • Usage of Elixir (version 1.11 and above) for building scalable and fault-tolerant applications
  • Usage of IO library for input/output operations

Description

Non compliant code

        defmodule Vulnerable do
  def process(data) do
    IO.inspect(data)
    # Process data
  end
end
        
        

The IO.inspect function is used to print the data to the console. This could expose sensitive information in a production environment.

Steps

  • Remove or comment out IO functions in production code.
  • Use a proper logging library that writes to log files instead of stdout.
  • Implement a logging level feature where debug-level messages aren't logged in production.

Compliant code

        defmodule Secure do
  def process(data) do
    # IO.inspect(data)
    # Process data
  end
end
        
        

In the secure example, the IO.inspect function has been commented out to prevent information leakage. Logging to files or using proper logging libraries would be a more secure approach.

References