logo

Database

Remote File Inclusion

Need

Prevent execution of remote files to maintain application integrity and confidentiality of data.

Context

• Usage of Elixir for building scalable and fault-tolerant applications

• Usage of Plug and Cowboy for HTTP request and response handling

• Usage of server to accept URLs or file paths from user inputs

Description

1. Non compliant code

defmodule VulnerableApp do
  use Plug.Router

  plug :match
  plug :dispatch

  get '/' do
    file_content = File.read!(filename)...

This code includes a file specified by user input in the server's execution context, which could lead to Remote File Inclusion.

2. Steps

• Don't allow file paths or URLs to be specified directly by user inputs.

• Sanitize all user inputs to ensure they don't contain malicious code.

• Use a safe method for handling files, such as storing file references in a database and retrieving them by ID.

3. Secure code example

defmodule SecureApp do
  use Plug.Router

  plug :match
  plug :dispatch

  get '/' do
    filename = lookup_filename(file_id)...

This code retrieves files in a safe manner by using a database of file references rather than directly including files from user inputs.

On this page