Need

Prevent unauthorized access to business analytics through exposed API key

Context

• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
• Usage of Plug (1.12.0 and above) for building composable web applications in Elixir

Description

Non compliant code

        defmodule MyApp.AnalyticsController do
  use MyApp.Web, :controller

  def show(conn, %{"apiKey" => apiKey}) do
    if apiKey == "exposed_api_key" do
      analytics = MyApp.Analytics.get()
      render(conn, "show.json", analytics: analytics)
    end
  end
end
        
        

This insecure code exposes an API key in a Swagger URL that could be used to access business analytics. This can lead to a serious information breach, where unauthorized users could gain access to valuable business insights.

Steps

• API keys should never be exposed in the code or URLs.
• Use secure methods to store and access API keys, such as environment variables or secure configuration files.
• Implement access controls to ensure that only authorized personnel can access the analytics.

Compliant code

        defmodule MyApp.AnalyticsController do
  use MyApp.Web, :controller

  def show(conn, %{"apiKey" => apiKey}) do
    if apiKey == System.get_env("API_KEY") and authorized?(conn) do
      analytics = MyApp.Analytics.get()
      render(conn, "show.json", analytics: analytics)
    else
      send_resp(conn, :unauthorized, "")
    end
  end

  defp authorized?(conn) do
    # Add authorization checks here
  end
end
        
        

The secure code compares the provided API key with a securely stored key, and only provides analytics if the user is authorized. This ensures that the API key and business analytics are not exposed to unauthorized users.

References

• 228. Business information leak - Analytics