logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Non-encrypted Confidential Information - Database - Elixir

Need

Ensure that user query information stored in the database is encrypted.

Context

  1. Usage of Elixir (1.12.0 and above) for building scalable and concurrent applications
  2. Usage of Ecto (3.7.1 and above) for database query and manipulation
  3. Usage of Cloak (1.1.0 and above) for data encryption and protection

Description

Insecure Code Example

defmodule MyApp.Repo.Migrations.CreateUser do
  use Ecto.Migration

  def change do
    create table(:users) do
      add :query, :string
      timestamps()
    end
  end
end

The code is insecure because it directly stores the user's queries into the database without any form of encryption. This allows anyone who has access to the database to view sensitive user query information.

Steps

  1. Install the Cloak library to handle encryption and decryption of sensitive data.
  2. Encrypt user query data before storing it in the database.
  3. Decrypt the data when accessing it.

Secure Code Example

defmodule MyApp.Repo.Migrations.CreateUser do
  use Ecto.Migration

  def change do
    create table(:users) do
      add :query, Cloak.Encrypted.Binary
      timestamps()
    end
  end
end

The code is secure because it encrypts the user's queries before storing them in the database. The query data is decrypted when accessed, ensuring the stored data is unreadable without the decryption key.

References

  • 246 - Non-encrypted Confidential Information - Database

    • Last updated

    2023/09/18