Need

Prevent exposure of sensitive information through metadata.

Context

• Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
• Usage of Logger module for logging and debugging purposes

Description

Non compliant code

        defmodule MyController do
  use Plug.Logger

  def handle_request(conn, _params) do
    Logger.debug(fn -> inspect(conn) end)
    send_resp(conn, 200, "OK")
  end
end
        
        

This code can be vulnerable as it logs the entire connection object, including potentially sensitive information such as headers or parameters. If these logs are accessible, it could lead to an information leak.

Steps

• Avoid logging sensitive information, such as keys, secrets or personally identifiable information.
• If sensitive data needs to be logged for debugging purposes, ensure it is appropriately masked or anonymized.
• Consider using a log management solution that provides access control, encryption and log retention capabilities.

Compliant code

        defmodule MyController do
  use Plug.Logger

  def handle_request(conn, _params) do
    Logger.debug(fn -> "Processing request" end)
    send_resp(conn, 200, "OK")
  end
end
        
        

This code is safer as it only logs a generic message, instead of the entire connection object. Thus, no sensitive information is logged.

References

• 119. Metadata with sensitive information