Insecure object reference

Insecure object reference - User deletion

Need

Protecting user data and ensuring application integrity

Context

• Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications

• Usage of Plug and Cowboy for HTTP request and response handling

• Usage of Ecto for data persistence

Description

1. Non compliant code

def delete_user(conn, %{'id' => id}) do
  Repo.delete!(User |> Repo.get!(id))
  send_resp(conn, 204, "")
end

In this vulnerable code snippet, the application is deleting a user based on the provided id without checking if the authenticated user has the necessary permissions to perform the operation.

2. Steps

• Check the role of the current user before performing any destructive operations.

• Only allow users with the necessary permissions to delete other users.

• If a user without the necessary permissions tries to delete a user, return a 403 Forbidden status code.

3. Secure code example

def delete_user(conn, %{'id' => id}) do
  case conn.assigns.current_user.role do
    :admin -> 
      Repo.delete!(User |> Repo.get!(id))
      send_resp(conn, 204, "")
    _ ->
      send_resp(conn, 403, "Forbidden")
end...

In this secure version, before deleting a user, the application checks if the current user has the 'admin' role. If the user doesn't have the necessary permissions, the application returns a 403 Forbidden status code.

References

• 369. Insecure object reference - User deletion

On this page