Need

To prevent server saturation and potential Denial of Service (DoS) attacks

Context

• Usage of Elixir for building scalable and fault-tolerant applications
• Usage of Elixir Plug for handling HTTP requests and protecting against attacks
• No rate limiting for API requests

Description

Non compliant code

        defmodule VulnerableApp.ApiController do
  use Plug.Router

  def index(conn, _params) do
    # API logic here
    send_resp(conn, 200, "OK")
  end

  plug :match
  plug :dispatch

  get "/", do: index(conn, params)
end
        
        

The following Elixir code exposes an API endpoint without any rate limiting, allowing clients to send as many requests as they want in a short period of time. This makes the application vulnerable to DoS attacks and log flooding.

Steps

• Use the 'plug_attack' library or similar to implement rate limiting on your API endpoints.
• Define rate limit rules based on your application's requirements and capacity.
• Apply these rules to your API endpoints.

Compliant code

        defmodule SecureApp.ApiController do
  use Plug.Router
  use PlugAttack

  plug PlugAttack.Blocker, otp_app: :my_app, name: :api

  def index(conn, _params) do
    # API logic here
    send_resp(conn, 200, "OK")
  end

  plug :match
  plug :dispatch

  get "/", do: index(conn, params)

  defoverridable [block: 2]
  def block(conn, _opts), do: send_resp(conn, 429, "Too Many Requests")
end
        
        

The following Elixir code uses the 'plug_attack' library to implement rate limiting on the API endpoint. This prevents clients from sending too many requests in a short period of time, protecting the application from DoS attacks and log flooding.

References

• 108. Improper control of interaction frequency