Data Uniqueness Not Properly Verified

Need

To ensure that sensitive data intended for single use cannot be reused or regenerated.

Context

Usage of Elixir for building scalable and fault-tolerant applications
Usage of Elixir Ecto for database query and manipulation
Usage of unique tokens for database record identification

Description

Non compliant code

defmodule VulnerableApp.Accounts do
  alias VulnerableApp.Repo
  alias VulnerableApp.Accounts.User

  def create_user(attrs \ %{}) do
    %User{}
    |> User.changeset(attrs)
    |> Repo.insert()
  end
end

The following Elixir code creates a user record with a unique token but does not validate the uniqueness of the token. This means that an attacker could create multiple users with the same token, leading to potential security issues.

Steps

Use Ecto's unique constraint feature to ensure that the token is unique across all users.
Handle Ecto's unique violation error when inserting a new user.

Compliant code

defmodule SecureApp.Accounts do
  alias SecureApp.Repo
  alias SecureApp.Accounts.User

  def create_user(attrs \ %{}) do
    %User{}
    |> User.changeset(attrs)
    |> Ecto.Changeset.unique_constraint(:token)
    |> Repo.insert()
  rescue
    Ecto.ConstraintError -> {:error, "Token must be unique"}
  end
end

The following Elixir code creates a user record with a unique token and validates the uniqueness of the token. This prevents an attacker from creating multiple users with the same token.

References

095.Data uniqueness not properly verified

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​