Non-encrypted Confidential Information - LDAP
Need
Ensure that LDAP service credentials are encrypted.
Context
- Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
- Usage of Exldap (0.5.7 and above) for LDAP integration
- Usage of Cloak for data encryption and decryption
Description
Non compliant code
defmodule MyApp.Ldap do
def ldap_config() do
{:ok, 'ldap.myapp.com', 'admin', 'password'}
end
end
The code is insecure because it exposes LDAP service credentials in plain text. This allows anyone who has access to the code to obtain the credentials and access the LDAP service.
Steps
- Install the Cloak library to handle encryption and decryption of sensitive data.
- Encrypt LDAP service credentials before storing them in the code.
- Decrypt the data when accessing it.
Compliant code
defmodule MyApp.Ldap do
def ldap_config() do
encrypted_host = Cloak.Cipher.encrypt('ldap.myapp.com')
encrypted_username = Cloak.Cipher.encrypt('admin')
encrypted_password = Cloak.Cipher.encrypt('password')
{:ok, encrypted_host, encrypted_username, encrypted_password}
end
end
The code is secure because it encrypts the LDAP service credentials before storing them in the code. The credentials are decrypted when accessed, ensuring the stored credentials are unreadable without the decryption key.