Directory Listing

Need

Prevent unauthorized listing of directory contents that could reveal sensitive information or application structure.

Context

Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
Usage of Plug.Static library for serving static files in Elixir

Description

Non compliant code

plug Plug.Static, 
  at: "/",
  from: :app,
  gzip: false,
  only: ~w(css fonts images js favicon.ico robots.txt)

This configuration in the endpoint.ex file serves static assets from the root directory and its subdirectories. If the server is incorrectly configured or if an index file is not present, it allows anyone to list all files in these directories.

Steps

Disable directory listing in the server settings.
Enforce an index file to be served when a directory is accessed.
Ensure that only necessary files are publicly accessible.

Compliant code

plug Plug.Static, 
  at: "/",
  from: :app,
  gzip: false,
  index: 'index.html',
  only: ~w(css fonts images js favicon.ico robots.txt)

The 'index' option is added to the configuration. This enforces the 'index.html' file to be served when a directory is accessed. Thus, the content of the directory is not listed and the vulnerability is mitigated.

References

125.Directory listing

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​