Authentication Mechanism Absence or Evasion Vulnerability
Need
Prevent unauthorized access to protected resources
Context
• Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications
• Usage of plain maps for user management
Description
1. Non compliant code
defmodule User do
defstruct [:id, :data]
end
user = %User{id: 1, data: 'secret'}
def access_data(user) do
end...This Elixir code defines a user system using a struct User, which holds an id and data. The function 'access_data' allows any user to access data without any form of authentication. Therefore, any person can create a user struct and view sensitive data.
2. Steps
• Introduce a secure authentication process: Implement a login mechanism that requires a username and password to create a user session.
• Ensure critical functionality resources are protected by this authentication process.
• Ensure every request for these resources checks for an active and authenticated user session.
3. Secure code example
defmodule User do
defstruct [:id, :username, :password, :data]
end
user = %User{id: 1, username: 'user1', password: 'pass1', data: 'secret'}
def login(user, username, password) do
{:ok, user}...The revised code introduces a secure authentication mechanism. The User struct now includes 'username' and 'password' fields. The 'login' function checks these credentials and returns a session if they are correct. The 'access_data' function now requires a successful login before accessing data, effectively preventing unauthorized access.