Business Information Leak - Credentials
Need
Prevent leakage of sensitive credentials
Context
- Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
- Usage of Plug (1.11.0 and above) for building composable web applications in Elixir
Description
Non compliant code
defmodule MyApp.Config do
@api_key "hard-coded-api-key"
def get_api_key do
@api_key
end
end
The code hard-codes a sensitive API key, which exposes the key if the code is leaked. An attacker obtaining this key can misuse it to impersonate the application.
Steps
- Remove hard-coded sensitive credentials from the code.
- Store sensitive credentials securely, such as in environment variables, or in encrypted configuration files.
Compliant code
defmodule MyApp.Config do
def get_api_key do
System.get_env("API_KEY")
end
end
The code retrieves the API key from an environment variable instead of hard-coding it. Even if the code is leaked, the sensitive API key remains secure.