Business Information Leak - Credentials - Elixir

Need

Prevent leakage of sensitive credentials

Context

Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
Usage of Plug (1.11.0 and above) for building composable web applications in Elixir

Description

Non compliant code

        defmodule MyApp.Config do
  @api_key "hard-coded-api-key"

  def get_api_key do
    @api_key
  end
end

The code hard-codes a sensitive API key, which exposes the key if the code is leaked. An attacker obtaining this key can misuse it to impersonate the application.

Steps

Remove hard-coded sensitive credentials from the code.
Store sensitive credentials securely, such as in environment variables, or in encrypted configuration files.

Compliant code

        defmodule MyApp.Config do
  def get_api_key do
    System.get_env("API_KEY")
  end
end

The code retrieves the API key from an environment variable instead of hard-coding it. Even if the code is leaked, the sensitive API key remains secure.

References

214. Business information leak - Credentials