Technical Information Leak - Console Functions

Need

Avoid leaking technical information via console functions

Context

Usage of Elixir (version 1.11 and above) for building scalable and fault-tolerant applications
Usage of IO library for input/output operations

Description

Non compliant code

defmodule Vulnerable do
  def process(data) do
    IO.inspect(data)
    # Process data
  end
end

The IO.inspect function is used to print the data to the console. This could expose sensitive information in a production environment.

Steps

Remove or comment out IO functions in production code.
Use a proper logging library that writes to log files instead of stdout.
Implement a logging level feature where debug-level messages aren't logged in production.

Compliant code

defmodule Secure do
  def process(data) do
    # IO.inspect(data)
    # Process data
  end
end

In the secure example, the IO.inspect function has been commented out to prevent information leakage. Logging to files or using proper logging libraries would be a more secure approach.

References

066.Technical information leak - Console functions

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​