Need

Prevent unauthorized privilege escalation

Context

• Usage of Elixir (version 1.10 and above) for building scalable and fault-tolerant applications
• Usage of Plug for request handling
• Usage of Phoenix framework for building web applications
• Usage of Coherence for user management and authentication

Description

Non compliant code

        def update_user(conn, %{"user" => user_params}) do
  user = Repo.get(User, user_params["id"])
  changeset = User.changeset(user, user_params)
  Repo.update!(changeset)
  # further code
end
        
        

This code is vulnerable because it directly updates user information, including their privileges, based on the provided parameters without any checks. An attacker could exploit this to grant themselves excessive permissions.

Steps

• Implement strict access controls, only allowing users to update their own profiles and not to modify their privileges.
• Check the user role before executing any action and restrict updates to user roles.
• Apply the principle of least privilege, ensuring users only have the permissions necessary to perform their tasks.

Compliant code

        def update_user(conn, %{"user" => user_params}) do
  user = Repo.get(User, user_params["id"])
  if conn.assigns.current_user.id == user.id and !user_params["role"] do
    changeset = User.changeset(user, user_params)
    Repo.update!(changeset)
  else
    # return error
  end
  # further code
end
        
        

The secure code example checks whether the current user is the same as the one being updated, and also checks that the 'role' parameter is not being changed. This helps to prevent privilege escalation attacks by not allowing users to modify their own privileges.

References

• 159. Excessive privileges