logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Technical Information Leak - Console Functions - Elixir

Need

Avoid leaking technical information via console functions

Context

  1. Usage of Elixir (version 1.11 and above) for building scalable and fault-tolerant applications
  2. Usage of IO library for input/output operations

Description

Insecure Code Example

defmodule Vulnerable do
  def process(data) do
    IO.inspect(data)
    # Process data
  end
end

The `IO.inspect` function is used to print the data to the console. This could expose sensitive information in a production environment.

Steps

  1. Remove or comment out IO functions in production code.
  2. Use a proper logging library that writes to log files instead of stdout.
  3. Implement a logging level feature where debug-level messages aren't logged in production.

Secure Code Example

defmodule Secure do
  def process(data) do
    # IO.inspect(data)
    # Process data
  end
end

In the secure example, the `IO.inspect` function has been commented out to prevent information leakage. Logging to files or using proper logging libraries would be a more secure approach.

References

  • 066 - Technical Information Leak - Console Functions

    • Last updated

    2023/09/18