Security Controls Bypass or Absence - Session Invalidation - Elixir

Need

To ensure proper session management and invalidate sessions appropriately

Context

Usage of Elixir 1.12 for building scalable and concurrent applications
Usage of Plug.Session for HTTP session management

Description

Non compliant code

        defmodule MyApp.Accounts do
  def get_user_email(conn) do
    session = Plug.Conn.get_session(conn, :user)
    if session == "auto", do: "test@test.com", else: session.email
  end
end

In the insecure code example, the get_user_email function checks the session to find the user's email. However, there is debug code left in that allows anyone to pass in a session with the word 'auto' and get access to a testing email. This is insecure as it allows unauthorized access.

Steps

Remove the debugging code from the production environment
Ensure all test code is isolated from production code

Compliant code

        defmodule MyApp.Accounts do
  def get_user_email(conn) do
    session = Plug.Conn.get_session(conn, :user)
    session.email
  end
end

In the secure code example, the get_user_email function only checks the session for the user's email, and there is no debug code that can be exploited for unauthorized access.

References

345. Security controls bypass or absence - Session Invalidation