Business Information Leak - Users - Elixir

Business Information Leak - Users - Elixir

Need

Prevent exposure of valid users' list

Context

  • Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
  • Usage of Plug (1.12.1 and above) for building composable web applications in Elixir
  • Usage of Ecto for database query and manipulation (version 3.6.2 and above)

Description

Non compliant code

        defmodule MyApp.UserController do
  use MyApp.Web, :controller

  def index(conn, _params) do
    users = Repo.all(User)
    render(conn, "index.json", users: users)
  end
end

This insecure code is exposing the list of all users without any checks or restrictions. This could allow attackers to obtain information about valid users in the system.

Steps

  • Restrict access to user lists and only expose it when necessary and to authorized users.
  • Include server-side checks to ensure only authorized users can access the data.

Compliant code

        defmodule MyApp.UserController do
  use MyApp.Web, :controller

  def index(conn, _params) do
    if authorized?(conn) do
      users = Repo.all(User)
      render(conn, "index.json", users: users)
    else
      send_resp(conn, :unauthorized, "")
    end
  end

  defp authorized?(conn) do
    # Add authorization checks here
  end
end

The secure code only provides the list of users if the user is authorized. It ensures that only the right users can see the user list.

References