Insecure Object Reference
Need
Prevent unauthorized access to user data
Context
- Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications
- Usage of Phoenix Framework for building web applications
- Usage of Ecto ORM for data access
Description
Non compliant code
def show(conn, %{'id' => id}) do
user = Repo.get(User, id)
render(conn, 'show.json', user: user)
end
The insecure code example takes an 'id' parameter from the incoming request and directly uses it to fetch the user data from the database. This means that an attacker can modify the 'id' in the request to access data of any user.
Steps
- Avoid using direct references to internal objects.
- Use session-based user authentication and associate this with the users' actions.
- Instead of using the user-provided 'id', use the 'id' associated with the authenticated session.
Compliant code
def show(conn, %{'id' => id}) do
if conn.assigns.current_user.id == id do
user = Repo.get(User, id)
render(conn, 'show.json', user: user)
else
send_resp(conn, :forbidden, 'Access denied')
end
end
In the secure code example, the server first checks whether the authenticated user's 'id' matches the 'id' in the request. If it does not, the server returns a '403 Forbidden' response. This ensures that users can only access their own data.