Technical Information Leak - Console Functions

Need

Avoid leaking technical information via console functions

Context

• Usage of Elixir (version 1.11 and above) for building scalable and fault-tolerant applications

• Usage of IO library for input/output operations

Description

1. Non compliant code

defmodule Vulnerable do
  def process(data) do
    IO.inspect(data)
    # Process data
  end
end

The `IO.inspect` function is used to print the data to the console. This could expose sensitive information in a production environment.

2. Steps

• Remove or comment out IO functions in production code.

• Use a proper logging library that writes to log files instead of stdout.

• Implement a logging level feature where debug-level messages aren't logged in production.

3. Secure code example

defmodule Secure do
  def process(data) do
    # IO.inspect(data)
    # Process data
  end
end

In the secure example, the `IO.inspect` function has been commented out to prevent information leakage. Logging to files or using proper logging libraries would be a more secure approach.

References

• 066. Technical Information Leak - Console Functions

On this page