Need

Prevent sensitive information disclosure

Context

• Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
• Usage of Plug.Debugger for debugging Elixir applications

Description

Non compliant code

        defmodule MyApp do
  use Plug.Router

  if Mix.env() == :prod do
    use Plug.Debugger
  end

  plug :match
  plug :dispatch

  get "/" do
    send_resp(conn, 200, "Hello, world!")
  end
end
        
        

In this Elixir code, the application is using the Plug.Debugger middleware in a production environment (when Mix.env() == :prod). This means that in the event of a server error, detailed debugging information (like stack traces) will be displayed in the user's browser, which could expose sensitive information about the application's internals.

Steps

• Ensure that the Plug.Debugger middleware is not used in a production environment.
• Regularly review and update application configurations to ensure they are secure.

Compliant code

        defmodule MyApp do
  use Plug.Router

  if Mix.env() == :dev do
    use Plug.Debugger
  end

  plug :match
  plug :dispatch

  get "/" do
    send_resp(conn, 200, "Hello, world!")
  end
end
        
        

In the updated code, the application only uses the Plug.Debugger middleware when the Mix.env() is :dev, which means during development. In a production environment, no debugging information will be displayed to the user.

References

• 183. Debugging enabled in production