Security Controls Bypass or Absence - Session Invalidation - Elixir

Security Controls Bypass or Absence - Session Invalidation - Elixir

Need

To ensure proper session management and invalidate sessions appropriately

Context

  • Usage of Elixir 1.12 for building scalable and concurrent applications
  • Usage of Plug.Session for HTTP session management

Description

Non compliant code

        defmodule MyApp.Accounts do
  def get_user_email(conn) do
    session = Plug.Conn.get_session(conn, :user)
    if session == "auto", do: "test@test.com", else: session.email
  end
end
        
        

In the insecure code example, the get_user_email function checks the session to find the user's email. However, there is debug code left in that allows anyone to pass in a session with the word 'auto' and get access to a testing email. This is insecure as it allows unauthorized access.

Steps

  • Remove the debugging code from the production environment
  • Ensure all test code is isolated from production code

Compliant code

        defmodule MyApp.Accounts do
  def get_user_email(conn) do
    session = Plug.Conn.get_session(conn, :user)
    session.email
  end
end
        
        

In the secure code example, the get_user_email function only checks the session for the user's email, and there is no debug code that can be exploited for unauthorized access.

References