logo

Database

Need

To ensure secure password resets and prevent attackers from gaining control over user accounts.

Context

• Usage of Elixir 1.12 for functional programming and building scalable applications

• Usage of Plug for building composable web applications in Elixir

• Usage of Phoenix web framework for building web applications

Description

1. Non compliant code

defmodule MyAppWeb.PasswordResetController do
  use MyAppWeb, :controller

  def create(conn, %{'email' => email}) do
    user = Accounts.get_user_by_email(email)
    Accounts.deliver_password_reset_instructions(user, conn)
    send_resp(conn, :ok, "")
end...

The code generates a password reset link using the host provided in the request headers. An attacker can manipulate the request headers to provide a host that they control, resulting in the application generating a reset link that points to the attacker's host.

2. Steps

• Ensure the password reset URL is generated using a trusted host value.

• Don't rely on values provided in the request headers for generating the reset URL.

• Add a configuration for the application's host and use that when generating the password reset URL.

3. Secure code example

defmodule MyAppWeb.PasswordResetController do
  use MyAppWeb, :controller

  def create(conn, %{'email' => email}) do
    user = Accounts.get_user_by_email(email)
    Accounts.deliver_password_reset_instructions(user)
    send_resp(conn, :ok, "")
end...

The code now generates the password reset URL using a trusted host value from the application's configuration, instead of the host provided in the request headers. This prevents an attacker from manipulating the reset URL to point to their own host.