Need

To ensure sensitive information such as API keys and passwords are not included in plain text in the source code.

Context

• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
• Usage of Ecto (3.6.2 and above) for database query and manipulation
• Usage of Cloak for data encryption and protection (version 1.1.0 and above)

Description

Non compliant code

        defmodule MyApp.Repo do
  use Ecto.Repo,
    otp_app: :my_app,
    adapter: Ecto.Adapters.Postgres,
    password: 'plaintextpassword',
    username: 'admin'
end
        
        

This code is vulnerable because the database password is stored in plain text in the source code. Anyone with access to the source code can access the database, posing a serious security risk.

Steps

• Install the Cloak library to handle encryption and decryption of sensitive data.
• Encrypt credentials before storing them in the code.
• Decrypt the credentials when accessing them.

Compliant code

        defmodule MyApp.Repo do
  use Ecto.Repo,
    otp_app: :my_app,
    adapter: Ecto.Adapters.Postgres,
    password: System.get_env('DB_PASSWORD') |> Cloak.Cipher.decrypt(),
    username: System.get_env('DB_USERNAME') |> Cloak.Cipher.decrypt()
end
        
        

In the secure code, the database credentials are encrypted and stored as environment variables. The Cloak library is used to decrypt the credentials when they are accessed. This prevents them from being exposed in plain text in the source code.

References

• 249. Non-encrypted confidential information - Credentials