Skip to main content

Business Information Leak


Prevention of unauthorized access to sensitive business data.


  • Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
  • Usage of Phoenix Framework for building web applications


Non compliant code

def index(conn, _params) do
users = Repo.all(User)
render(conn, "index.json", users: users)

This Elixir code is a simple controller action in a Phoenix API that lists all the users in the database. The Repo.all(User) fetches all users' information from the database, including sensitive data such as usernames, employee information, client information, provider information, and strategic information. This is a business information leak vulnerability because it exposes sensitive business data without proper access control checks.


  • Implement proper access control checks before retrieving data from the database.
  • Restrict what information is sent to the client.
  • Consider using view models to control what data is sent to the client.

Compliant code

def index(conn, _params) do
user = get_current_user(conn)
if user && user.role == 'admin'
users = Repo.all(User)
users = for user <- users, do: %{id:, username: user.username}
render(conn, "index.json", users: users)
conn |> put_status(:forbidden) |> json(%{message: 'Forbidden'})

In this code, before we fetch any user data, we check if the currently authenticated user is an admin. If they are, we fetch the users but only return the id and username, removing any sensitive information. If the current user is not an admin, we return a 403 Forbidden response.