Need

Prevent unauthorized access to restricted functionalities

Context

• Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
• Usage of Plug for request routing

Description

Non compliant code

        defmodule MyAppWeb.EmployeeController do
  use MyAppWeb, :controller

  def show(conn, params) do
    # No domain restriction validation
    employee = MyApp.get_employee(params["id"])
    render(conn, "show.html", employee: employee)
  end
end
        
        

This code is vulnerable because it doesn't validate if the user is authorized to access the employee management panel based on their domain. An attacker can bypass the restrictions by using absolute paths to the employee management panel.

Steps

• Add a function to validate if the user is authorized to access the employee management panel based on their domain.
• Before calling 'MyApp.get_employee', call this validation function. If the validation fails, return an error response.

Compliant code

        defmodule MyAppWeb.EmployeeController do
  use MyAppWeb, :controller

  def show(conn, params) do
    if authorized_domain?(conn) do
      employee = MyApp.get_employee(params["id"])
      render(conn, "show.html", employee: employee)
    else
      send_resp(conn, 403, "Access Denied")
    end
  end

  defp authorized_domain?(conn) do
    # Implement your domain validation logic here
  end
end
        
        

This code is safe because it validates if the user is authorized to access the employee management panel based on their domain. If the user is not authorized, it returns an 'Access Denied' response.

References

• 198. Lack of data validation - Out of range