Need

Ensure that LDAP service credentials are encrypted.

Context

• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
• Usage of Exldap (0.5.7 and above) for LDAP integration
• Usage of Cloak for data encryption and decryption

Description

Non compliant code

        defmodule MyApp.Ldap do
  def ldap_config() do
    {:ok, 'ldap.myapp.com', 'admin', 'password'}
  end
end
        
        

The code is insecure because it exposes LDAP service credentials in plain text. This allows anyone who has access to the code to obtain the credentials and access the LDAP service.

Steps

• Install the Cloak library to handle encryption and decryption of sensitive data.
• Encrypt LDAP service credentials before storing them in the code.
• Decrypt the data when accessing it.

Compliant code

        defmodule MyApp.Ldap do
  def ldap_config() do
    encrypted_host = Cloak.Cipher.encrypt('ldap.myapp.com')
    encrypted_username = Cloak.Cipher.encrypt('admin')
    encrypted_password = Cloak.Cipher.encrypt('password')
    {:ok, encrypted_host, encrypted_username, encrypted_password}
  end
end
        
        

The code is secure because it encrypts the LDAP service credentials before storing them in the code. The credentials are decrypted when accessed, ensuring the stored credentials are unreadable without the decryption key.

References

• 248. Non-encrypted confidential information - LDAP