Security Controls Bypass or Absence
Need
Prevent denial of service or system overloading by limiting request rate
Context
- Usage of Elixir for building scalable and fault-tolerant applications
- Usage of Plug Cowboy for building web applications with Elixir
- Handling high incoming requests
- Usage of API abuse detection and prevention techniques
Description
Non compliant code
defmodule MyApp.Router do
use Plug.Router
plug :match
plug :dispatch
get "/" do
send_resp(conn, 200, "Hello, world!")
end
match _ do
send_resp(conn, 404, "Oops, not found!")
end
end
This Elixir code is vulnerable because it exposes an API endpoint without any rate limiting. This allows a host to send unlimited requests.
Steps
- Add a rate limiting package, such as 'plug_attack'.
- Configure the rate limit rules in the 'plug_attack' config.
Compliant code
defmodule MyApp.Router do
use Plug.Router
plug PlugAttack
plug_attack_handler do
PlugAttack.Storage.Memory.set_rules([%{bans: 100, period: 60_000}])
end
plug :match
plug :dispatch
get "/" do
send_resp(conn, 200, "Hello, world!")
end
match _ do
send_resp(conn, 404, "Oops, not found!")
end
end
This Elixir code is safe because it includes 'plug_attack' for rate limiting. The plug is configured to limit requests to 100 per minute from a single IP address.