Remote File Inclusion - Elixir

Need

Prevent execution of remote files to maintain application integrity and confidentiality of data.

Context

1. Usage of Elixir for building scalable and fault-tolerant applications
2. Usage of Plug and Cowboy for HTTP request and response handling
3. Usage of server to accept URLs or file paths from user inputs

Description

Insecure Code Example

defmodule VulnerableApp do
  use Plug.Router

  plug :match
  plug :dispatch

  get '/' do
    filename = get_param(conn, 'filename')
    file_content = File.read!(filename)
    send_resp(conn, 200, file_content)
  end
end

This code includes a file specified by user input in the server's execution context, which could lead to Remote File Inclusion.

Steps

1. Don't allow file paths or URLs to be specified directly by user inputs.
2. Sanitize all user inputs to ensure they don't contain malicious code.
3. Use a safe method for handling files, such as storing file references in a database and retrieving them by ID.

Secure Code Example

defmodule SecureApp do
  use Plug.Router

  plug :match
  plug :dispatch

  get '/' do
    file_id = get_param(conn, 'file_id')
    filename = lookup_filename(file_id)
    file_content = File.read!(filename)
    send_resp(conn, 200, file_content)
  end

  defp lookup_filename(file_id) do
    # Query database to retrieve file path by ID
  end
end

This code retrieves files in a safe manner by using a database of file references rather than directly including files from user inputs.

References

Last updated

2023/09/18