Business Information Leak - Personal Information
Need
Avoid exposure of real user's personal information stored in the source code
Context
- Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
- Usage of Plug (1.12.0 and above) for building composable web application modules
Description
Non compliant code
defmodule MyApp.UserController do
use MyApp.Web, :controller
def show(conn, %{"id" => id}) do
user = %{id: "real_id", phone: "real_phone_number"}
render(conn, "show.json", user: user)
end
end
The insecure code directly uses real personal information (like ID numbers and phone numbers) within the source code. This could lead to a serious data breach, where personal information is leaked, and could be used for malicious purposes such as social engineering attacks.
Steps
- Never hard-code real personal information within your source code.
- Use environment variables or secure configuration files to store sensitive data if necessary.
Compliant code
defmodule MyApp.UserController do
use MyApp.Web, :controller
def show(conn, %{"id" => id}) do
user = %{id: System.get_env("USER_ID"), phone: System.get_env("PHONE_NUMBER")}
render(conn, "show.json", user: user)
end
end
The secure code uses environment variables instead of hard-coding the personal information. It ensures that personal information is not directly exposed in the source code, thereby preventing potential data breaches.