Debugging Enabled in Production - Elixir

Need

Prevent sensitive information disclosure

Context

1. Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
2. Usage of Plug.Debugger for debugging Elixir applications

Description

Insecure Code Example

defmodule MyApp do
  use Plug.Router

  if Mix.env() == :prod do
    use Plug.Debugger
  end

  plug :match
  plug :dispatch

  get "/" do
    send_resp(conn, 200, "Hello, world!")
  end
end

In this Elixir code, the application is using the Plug.Debugger middleware in a production environment (when Mix.env() == :prod). This means that in the event of a server error, detailed debugging information (like stack traces) will be displayed in the user's browser, which could expose sensitive information about the application's internals.

Steps

1. Ensure that the Plug.Debugger middleware is not used in a production environment.
2. Regularly review and update application configurations to ensure they are secure.

Secure Code Example

defmodule MyApp do
  use Plug.Router

  if Mix.env() == :dev do
    use Plug.Debugger
  end

  plug :match
  plug :dispatch

  get "/" do
    send_resp(conn, 200, "Hello, world!")
  end
end

In the updated code, the application only uses the Plug.Debugger middleware when the Mix.env() is :dev, which means during development. In a production environment, no debugging information will be displayed to the user.

References

Last updated

2023/09/18