Insecure Temporary Files
Need
Securely store sensitive information
Context
- Usage of Elixir (1.11 and above) for building scalable and fault-tolerant applications
- Usage of Phoenix Framework (1.5+) for building web applications
Description
Non compliant code
defmodule TempFilesController do
use MyAppWeb, :controller
def write(conn, %{'data' => data}) do
File.write!('/tmp/temp_file', data)
send_resp(conn, 200, "Data written to temporary file.")
end
end
The above code is vulnerable because it writes sensitive information to a temporary file '/tmp/temp_file'. This file is accessible to all other users on the system, and can also be read by any other processes. This exposes the sensitive information to potential unauthorized access and theft.
Steps
- Avoid saving sensitive information in temporary files.
- Encrypt sensitive data before saving.
- Ensure temporary files are securely deleted after use.
Compliant code
defmodule SecureStorageController do
use MyAppWeb, :controller
def write(conn, %{'data' => data}) do
encrypted_data = Encryption.encrypt(data)
{:ok, _} = SecureStorage.put(encrypted_data)
send_resp(conn, 200, "Data securely stored.")
end
end
In the secure code example, the sensitive data is first encrypted before being stored, ensuring that even if unauthorized access were to occur, the data would be unreadable without the decryption key. The 'SecureStorage' is a hypothetical secure storage system that should be substituted with an actual secure data storage system in your application.