Insecure Object Reference

Need

Prevent unauthorized access to user data

Context

Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications
Usage of Phoenix Framework for building web applications
Usage of Ecto ORM for data access

Description

Non compliant code

def show(conn, %{'id' => id}) do
  user = Repo.get(User, id)
  render(conn, 'show.json', user: user)
end

The insecure code example takes an 'id' parameter from the incoming request and directly uses it to fetch the user data from the database. This means that an attacker can modify the 'id' in the request to access data of any user.

Steps

Avoid using direct references to internal objects.
Use session-based user authentication and associate this with the users' actions.
Instead of using the user-provided 'id', use the 'id' associated with the authenticated session.

Compliant code

def show(conn, %{'id' => id}) do
  if conn.assigns.current_user.id == id do
    user = Repo.get(User, id)
    render(conn, 'show.json', user: user)
  else
    send_resp(conn, :forbidden, 'Access denied')
  end
end

In the secure code example, the server first checks whether the authenticated user's 'id' matches the 'id' in the request. If it does not, the server returns a '403 Forbidden' response. This ensures that users can only access their own data.

References

013.Insecure object reference

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​