Unauthorized access to files

Need

To prevent unauthorized access to files

Context

• Usage of Elixir (v1.12+) for building scalable and fault-tolerant applications

• Usage of Ecto.Repo for interacting with databases

Description

1. Non compliant code

defmodule MyApp.UserController do
  use MyApp.Web, :controller

  def update(conn, params) do
    user = MyApp.Repo.get!(User, params["id"])
    user = MyApp.Repo.update!(User.changeset(user, params))

    send_resp(conn, 200, "File updated at #{path}")...

The Elixir code allows a user to update their data and get access to a specific path in the Sharepoint. However, it doesn't perform any validation or checks on the user input, which could lead to unauthorized access to files.

2. Steps

• Validate user input

• Check whether the user is authenticated

• Check whether the authenticated user is the same user that is trying to update the data

• Only give access to the specific path in the Sharepoint if the user is authenticated and is the same user that is trying to update the data

3. Secure code example

defmodule MyApp.UserController do
  use MyApp.Web, :controller

  def update(conn, params) do
    user = MyApp.Repo.get!(User, params["id"])
    user = MyApp.Repo.update!(User.changeset(user, params))

      path = "/sharepoint/files/#{user.id}/"...

The secure Elixir code checks whether the user is authenticated and is the same user that is trying to update the data before giving access to the specific path in the Sharepoint.

References

• 201. Unauthorized access to files

On this page