Security Controls Bypass or Absence - Elixir

Need

Prevent denial of service or system overloading by limiting request rate

Context

1. Usage of Elixir for building scalable and fault-tolerant applications
2. Usage of Plug Cowboy for building web applications with Elixir
3. Handling high incoming requests
4. Usage of API abuse detection and prevention techniques

Description

Insecure Code Example

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/" do
    send_resp(conn, 200, "Hello, world!")
  end

  match _ do
    send_resp(conn, 404, "Oops, not found!")
  end
end

This Elixir code is vulnerable because it exposes an API endpoint without any rate limiting. This allows a host to send unlimited requests.

Steps

1. Add a rate limiting package, such as 'plug_attack'.
2. Configure the rate limit rules in the 'plug_attack' config.

Secure Code Example

defmodule MyApp.Router do
  use Plug.Router

  plug PlugAttack

  plug_attack_handler do
    PlugAttack.Storage.Memory.set_rules([%{bans: 100, period: 60_000}])
  end

  plug :match
  plug :dispatch

  get "/" do
    send_resp(conn, 200, "Hello, world!")
  end

  match _ do
    send_resp(conn, 404, "Oops, not found!")
  end
end

This Elixir code is safe because it includes 'plug_attack' for rate limiting. The plug is configured to limit requests to 100 per minute from a single IP address.

References

Last updated

2023/09/18