Unauthorized access to files
Need
To prevent unauthorized access to files
Context
- Usage of Elixir (v1.12+) for building scalable and fault-tolerant applications
- Usage of Ecto.Repo for interacting with databases
Description
Non compliant code
defmodule MyApp.UserController do
use MyApp.Web, :controller
def update(conn, params) do
user = MyApp.Repo.get!(User, params["id"])
user = MyApp.Repo.update!(User.changeset(user, params))
path = "/sharepoint/files/#{user.id}/"
send_resp(conn, 200, "File updated at #{path}")
end
end
The Elixir code allows a user to update their data and get access to a specific path in the Sharepoint. However, it doesn't perform any validation or checks on the user input, which could lead to unauthorized access to files.
Steps
- Validate user input
- Check whether the user is authenticated
- Check whether the authenticated user is the same user that is trying to update the data
- Only give access to the specific path in the Sharepoint if the user is authenticated and is the same user that is trying to update the data
Compliant code
defmodule MyApp.UserController do
use MyApp.Web, :controller
def update(conn, params) do
user = MyApp.Repo.get!(User, params["id"])
user = MyApp.Repo.update!(User.changeset(user, params))
if user && conn.assigns.current_user && conn.assigns.current_user.id == user.id do
path = "/sharepoint/files/#{user.id}/"
send_resp(conn, 200, "File updated at #{path}")
else
send_resp(conn, 403, "Unauthorized")
end
end
end
The secure Elixir code checks whether the user is authenticated and is the same user that is trying to update the data before giving access to the specific path in the Sharepoint.