Directory Listing - Elixir

Directory Listing - Elixir

Need

Prevent unauthorized listing of directory contents that could reveal sensitive information or application structure.

Context

  • Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
  • Usage of Plug.Static library for serving static files in Elixir

Description

Non compliant code

        plug Plug.Static, 
  at: "/",
  from: :app,
  gzip: false,
  only: ~w(css fonts images js favicon.ico robots.txt)
        
        

This configuration in the endpoint.ex file serves static assets from the root directory and its subdirectories. If the server is incorrectly configured or if an index file is not present, it allows anyone to list all files in these directories.

Steps

  • Disable directory listing in the server settings.
  • Enforce an index file to be served when a directory is accessed.
  • Ensure that only necessary files are publicly accessible.

Compliant code

        plug Plug.Static, 
  at: "/",
  from: :app,
  gzip: false,
  index: 'index.html',
  only: ~w(css fonts images js favicon.ico robots.txt)
        
        

The 'index' option is added to the configuration. This enforces the 'index.html' file to be served when a directory is accessed. Thus, the content of the directory is not listed and the vulnerability is mitigated.

References