logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Technical Information Leak - Errors - Elixir

Need

Prevent exposing technical information through server error messages.

Context

  1. Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
  2. Usage of Phoenix Framework for building web applications (version 1.6.0 and above)

Description

Insecure Code Example

defmodule MyAppWeb.ErrorView do
  use MyAppWeb, :view

  def render("500.json", _assigns) do
    %{errors: %{detail: 'Internal server error'}}
  end
end

This code is insecure because it might reveal too much information in the error details when a server error (HTTP 500) occurs. Detailed error messages can potentially expose sensitive technical details about your system.

Steps

  1. Use generic error messages when responding to client requests, regardless of the type of error on the server.
  2. Handle exceptions at the application level and log the detailed error information server-side for debugging.
  3. Use a custom error handling plug to control what gets exposed in case of server errors.

Secure Code Example

defmodule MyAppWeb.ErrorView do
  use MyAppWeb, :view

  def render("500.json", _assigns) do
    %{errors: %{detail: 'An error occurred. We are working to fix it.'}}
  end
end

This code is secure because it uses a generic error message to indicate a server error, without revealing any technical details. The detailed error information is not exposed to the client, reducing the risk of information leaks.

References

  • 239 - Technical Information Leak - Errors

    • Last updated

    2023/09/18