Business Information Leak - Analytics - Elixir

Need

Prevent unauthorized access to business analytics through exposed API key

Context

1. Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
2. Usage of Plug (1.12.0 and above) for building composable web applications in Elixir

Description

Insecure Code Example

defmodule MyApp.AnalyticsController do
  use MyApp.Web, :controller

  def show(conn, %{"apiKey" => apiKey}) do
    if apiKey == "exposed_api_key" do
      analytics = MyApp.Analytics.get()
      render(conn, "show.json", analytics: analytics)
    end
  end
end

This insecure code exposes an API key in a Swagger URL that could be used to access business analytics. This can lead to a serious information breach, where unauthorized users could gain access to valuable business insights.

Steps

1. API keys should never be exposed in the code or URLs.
2. Use secure methods to store and access API keys, such as environment variables or secure configuration files.
3. Implement access controls to ensure that only authorized personnel can access the analytics.

Secure Code Example

defmodule MyApp.AnalyticsController do
  use MyApp.Web, :controller

  def show(conn, %{"apiKey" => apiKey}) do
    if apiKey == System.get_env("API_KEY") and authorized?(conn) do
      analytics = MyApp.Analytics.get()
      render(conn, "show.json", analytics: analytics)
    else
      send_resp(conn, :unauthorized, "")
    end
  end

  defp authorized?(conn) do
    # Add authorization checks here
  end
end

The secure code compares the provided API key with a securely stored key, and only provides analytics if the user is authorized. This ensures that the API key and business analytics are not exposed to unauthorized users.

References

Last updated

2023/09/18