Weak credential policy - Password Change Limit
Need
To prevent denial of service by repeatedly changing user's password.
Context
- Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
- Usage of Phoenix Framework for building web applications
- Usage of Ecto for data persistence
Description
Non compliant code
defmodule MyAppWeb.AccountController do
use MyAppWeb, :controller
def change_password(conn, %{"password" => password, "user_id" => id}) do
user = Repo.get!(User, id)
changeset = User.changeset(user, %{password: password})
Repo.update!(changeset)
render(conn, "password_changed.html")
end
end
This code is vulnerable because it allows a user's password to be changed without any limit on the number of requests. If an attacker is able to authenticate as a user, they can lock the user out of their account by repeatedly changing the password.
Steps
- Implement a rate limit on password change requests.
- Consider using a library or built-in framework feature to enforce rate limiting.
- Monitor account activity for suspicious behavior such as repeated password change requests.
Compliant code
defmodule MyAppWeb.AccountController do
use MyAppWeb, :controller
def change_password(conn, %{"password" => password, "user_id" => id}) do
user = Repo.get!(User, id)
if can_change_password?(user) do
changeset = User.changeset(user, %{password: password})
Repo.update!(changeset)
update_last_password_change(user)
render(conn, "password_changed.html")
else
render(conn, "password_change_limit.html")
end
end
defp can_change_password?(user) do
# check if user can change password
end
defp update_last_password_change(user) do
# update the time of last password change
end
end
In this secure code example, the can_change_password? function checks if the user has already changed their password within the rate limit period. If they have, the password change request is rejected and a different view is rendered.