Need

Avoid exposure of real user's personal information stored in the source code

Context

• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
• Usage of Plug (1.12.0 and above) for building composable web application modules

Description

Non compliant code

        defmodule MyApp.UserController do
  use MyApp.Web, :controller

  def show(conn, %{"id" => id}) do
    user = %{id: "real_id", phone: "real_phone_number"}
    render(conn, "show.json", user: user)
  end
end
        
        

The insecure code directly uses real personal information (like ID numbers and phone numbers) within the source code. This could lead to a serious data breach, where personal information is leaked, and could be used for malicious purposes such as social engineering attacks.

Steps

• Never hard-code real personal information within your source code.
• Use environment variables or secure configuration files to store sensitive data if necessary.

Compliant code

        defmodule MyApp.UserController do
  use MyApp.Web, :controller

  def show(conn, %{"id" => id}) do
    user = %{id: System.get_env("USER_ID"), phone: System.get_env("PHONE_NUMBER")}
    render(conn, "show.json", user: user)
  end
end
        
        

The secure code uses environment variables instead of hard-coding the personal information. It ensures that personal information is not directly exposed in the source code, thereby preventing potential data breaches.

References

• 226. Business information leak - Personal Information