Technical Information Leak - Console Functions
Need
Avoid leaking technical information via console functions
Context
- Usage of Elixir (version 1.11 and above) for building scalable and fault-tolerant applications
- Usage of IO library for input/output operations
Description
Non compliant code
defmodule Vulnerable do
def process(data) do
IO.inspect(data)
# Process data
end
end
The IO.inspect
function is used to print the data to the console. This could expose sensitive information in a production environment.
Steps
- Remove or comment out IO functions in production code.
- Use a proper logging library that writes to log files instead of stdout.
- Implement a logging level feature where debug-level messages aren't logged in production.
Compliant code
defmodule Secure do
def process(data) do
# IO.inspect(data)
# Process data
end
end
In the secure example, the IO.inspect
function has been commented out to prevent information leakage. Logging to files or using proper logging libraries would be a more secure approach.