Remote File Inclusion
Need
Prevent execution of remote files to maintain application integrity and confidentiality of data.
Context
- Usage of Elixir for building scalable and fault-tolerant applications
- Usage of Plug and Cowboy for HTTP request and response handling
- Usage of server to accept URLs or file paths from user inputs
Description
Non compliant code
defmodule VulnerableApp do
use Plug.Router
plug :match
plug :dispatch
get '/' do
filename = get_param(conn, 'filename')
file_content = File.read!(filename)
send_resp(conn, 200, file_content)
end
end
This code includes a file specified by user input in the server's execution context, which could lead to Remote File Inclusion.
Steps
- Don't allow file paths or URLs to be specified directly by user inputs.
- Sanitize all user inputs to ensure they don't contain malicious code.
- Use a safe method for handling files, such as storing file references in a database and retrieving them by ID.
Compliant code
defmodule SecureApp do
use Plug.Router
plug :match
plug :dispatch
get '/' do
file_id = get_param(conn, 'file_id')
filename = lookup_filename(file_id)
file_content = File.read!(filename)
send_resp(conn, 200, file_content)
end
defp lookup_filename(file_id) do
# Query database to retrieve file path by ID
end
end
This code retrieves files in a safe manner by using a database of file references rather than directly including files from user inputs.