Business Information Leak - Token
Need
Prevent user information from being exposed in session tokens
Context
- Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
- Usage of Plug (1.12.1 and above) for building composable web applications in Elixir
- Usage of Guardian for authentication and authorization
Description
Non compliant code
defmodule MyApp.GuardianSerializer do
@behaviour Guardian.Serializer
def for_token(user = %User{}), do: { :ok, "User:#{user.id}:#{user.email}:#{user.name}" }
def from_token("User:" <> id <> ":" <> email <> ":" <> name), do: { :ok, %User{id: id, email: email, name: name} }
end
This code is including the user's email and name in the session token. If an attacker can decode this token, they can obtain the user's email and name.
Steps
- Do not include sensitive information like email and name in the session token.
- Always sanitize data before including it in a token.
Compliant code
defmodule MyApp.GuardianSerializer do
@behaviour Guardian.Serializer
def for_token(user = %User{}), do: { :ok, "User:#{user.id}" }
def from_token("User:" <> id), do: { :ok, %User{id: id} }
end
The secure code does not include the user's email and name in the session token, thus protecting sensitive data.