Lack of Data Validation - Out of Range
Need
Prevent unauthorized access to restricted functionalities
Context
- Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
- Usage of Plug for request routing
Description
Non compliant code
defmodule MyAppWeb.EmployeeController do
use MyAppWeb, :controller
def show(conn, params) do
# No domain restriction validation
employee = MyApp.get_employee(params["id"])
render(conn, "show.html", employee: employee)
end
end
This code is vulnerable because it doesn't validate if the user is authorized to access the employee management panel based on their domain. An attacker can bypass the restrictions by using absolute paths to the employee management panel.
Steps
- Add a function to validate if the user is authorized to access the employee management panel based on their domain.
- Before calling 'MyApp.get_employee', call this validation function. If the validation fails, return an error response.
Compliant code
defmodule MyAppWeb.EmployeeController do
use MyAppWeb, :controller
def show(conn, params) do
if authorized_domain?(conn) do
employee = MyApp.get_employee(params["id"])
render(conn, "show.html", employee: employee)
else
send_resp(conn, 403, "Access Denied")
end
end
defp authorized_domain?(conn) do
# Implement your domain validation logic here
end
end
This code is safe because it validates if the user is authorized to access the employee management panel based on their domain. If the user is not authorized, it returns an 'Access Denied' response.