Insecure Object Reference - Data - Elixir

Insecure Object Reference - Data - Elixir

Need

Prevent unauthorized users from accessing or manipulating other stores' data

Context

  • Usage of Elixir 1.12 for functional programming and building scalable applications
  • Usage of Phoenix Framework 1.6 for web development

Description

Non compliant code

        def show(conn, %{"id" => id}) do
  store = Repo.get!(Store, id)
  send_resp(conn, :ok, store)
end
        
        

This insecure code example shows an Elixir Phoenix application that retrieves a store's data by its ID without checking the user's permissions. An attacker can exploit this by guessing or brute-forcing the store IDs to access and manipulate other stores' data.

Steps

  • Before returning the store's data, check if the authenticated user has the necessary permissions to access it
  • Return a 403 Forbidden status code if the user does not have the necessary permissions

Compliant code

        def show(conn, %{"id" => id}) do
  store = Repo.get!(Store, id)
  if has_permission?(conn.assigns[:current_user], store) do
    send_resp(conn, :ok, store)
  else
    send_resp(conn, :forbidden, "You do not have permission to access this store's data")
  end
end

defp has_permission?(user, store) do
  user.id == store.user_id
end
        
        

This secure code example includes a check to ensure the authenticated user has the necessary permissions to access the store's data before it is returned. If they do not, a 403 Forbidden status code is returned.

References