Business Information Leak - Users
Need
Prevent exposure of valid users' list
Context
- Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
- Usage of Plug (1.12.1 and above) for building composable web applications in Elixir
- Usage of Ecto for database query and manipulation (version 3.6.2 and above)
Description
Non compliant code
defmodule MyApp.UserController do
use MyApp.Web, :controller
def index(conn, _params) do
users = Repo.all(User)
render(conn, "index.json", users: users)
end
end
This insecure code is exposing the list of all users without any checks or restrictions. This could allow attackers to obtain information about valid users in the system.
Steps
- Restrict access to user lists and only expose it when necessary and to authorized users.
- Include server-side checks to ensure only authorized users can access the data.
Compliant code
defmodule MyApp.UserController do
use MyApp.Web, :controller
def index(conn, _params) do
if authorized?(conn) do
users = Repo.all(User)
render(conn, "index.json", users: users)
else
send_resp(conn, :unauthorized, "")
end
end
defp authorized?(conn) do
# Add authorization checks here
end
end
The secure code only provides the list of users if the user is authorized. It ensures that only the right users can see the user list.