Business Information Leak

Business Information Leak - Users

Need

Prevent exposure of valid users' list

Context

• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications

• Usage of Plug (1.12.1 and above) for building composable web applications in Elixir

• Usage of Ecto for database query and manipulation (version 3.6.2 and above)

Description

1. Non compliant code

defmodule MyApp.UserController do
  use MyApp.Web, :controller

  def index(conn, _params) do
    users = Repo.all(User)
    render(conn, "index.json", users: users)
  end
end

This insecure code is exposing the list of all users without any checks or restrictions. This could allow attackers to obtain information about valid users in the system.

2. Steps

• Restrict access to user lists and only expose it when necessary and to authorized users.

• Include server-side checks to ensure only authorized users can access the data.

3. Secure code example

defmodule MyApp.UserController do
  use MyApp.Web, :controller

  def index(conn, _params) do
    if authorized?(conn) do
      users = Repo.all(User)
      render(conn, "index.json", users: users)
      send_resp(conn, :unauthorized, "")...

The secure code only provides the list of users if the user is authorized. It ensures that only the right users can see the user list.

References

• 221. Business Information Leak - Users

On this page