Insecure object reference - Personal information

Need

Prevent unauthorized modification of other user's information

Context

Usage of Elixir (version 1.12 and above) for building scalable and fault-tolerant applications
Usage of Phoenix Framework for building web applications
Usage of Plug for session handling
Usage of Ecto for data persistence

Description

Non compliant code

defmodule UserController do
  def update(conn, %{'id' => id, 'user' => user_params}) do
    user = Repo.get(User, id)
    changeset = User.changeset(user, user_params)
    Repo.update(changeset)
  end
end

The code below is insecure because it uses the user_id from the request parameters to fetch and update a user. An attacker can change the user_id parameter to update another user's information.

Steps

Store the authenticated user's id in the session after successful login.
Instead of getting the user id from request parameters, get it from the session.
Use the user id from the session to fetch and update the user.

Compliant code

defmodule UserController do
  def update(conn, %{'user' => user_params}) do
    id = get_session(conn, :user_id)
    user = Repo.get(User, id)
    changeset = User.changeset(user, user_params)
    Repo.update(changeset)
  end
end

The code below is secure because it uses the user_id stored in the session to fetch and update the user. Even if an attacker changes the user_id in the request parameters, it won't affect which user is updated because the user_id in the session is used.

References

286.Insecure object reference - Personal information

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​