Insecure Object Reference - Data - Elixir

Need

Prevent unauthorized users from accessing or manipulating other stores' data

Context

Usage of Elixir 1.12 for functional programming and building scalable applications
Usage of Phoenix Framework 1.6 for web development

Description

Insecure Code Example

def show(conn, %{"id" => id}) do
  store = Repo.get!(Store, id)
  send_resp(conn, :ok, store)
end

This insecure code example shows an Elixir Phoenix application that retrieves a store's data by its ID without checking the user's permissions. An attacker can exploit this by guessing or brute-forcing the store IDs to access and manipulate other stores' data.

Steps

Before returning the store's data, check if the authenticated user has the necessary permissions to access it
Return a 403 Forbidden status code if the user does not have the necessary permissions

Secure Code Example

def show(conn, %{"id" => id}) do
  store = Repo.get!(Store, id)
  if has_permission?(conn.assigns[:current_user], store) do
    send_resp(conn, :ok, store)
  else
    send_resp(conn, :forbidden, "You do not have permission to access this store's data")
  end
end

defp has_permission?(user, store) do
  user.id == store.user_id
end

This secure code example includes a check to ensure the authenticated user has the necessary permissions to access the store's data before it is returned. If they do not, a 403 Forbidden status code is returned.

References

307 - Insecure Object Reference - Data

Last updated

2023/09/18