LostKobrakai

LostKobrakai

32) ElixirConf 2017: Plugging the Security Holes in Your Phoenix Application

After having watched the talk I’m wondering if this would also be a good opportunity to gather examples / tips about how to prevent or mitigate the mentioned issues. I’d expect the e.g. for the mentioned session issue there might already be examples out there. Also I’m especially curious about the last topic on mass assignment. How do you guys handle changesets which are allowed to change things like admin flags or alike, so at best they’re not accidentally usable from any frontend forms.

Most Liked

LostKobrakai

LostKobrakai

I’ll start by adding my captain obvious solution to prevent accidental changes to admin flag fields: Don’t handle it through the params sent to changeset/2, but only allow them to be changed by custom functions.

def make_admin(%User{} = user) do
  user
  |> Ecto.Changeset.change(%{is_admin: true})
  |> Repo.update()
end

def put_admin_flag(%Ecto.Changeset{} = changeset) do
  Ecto.Changeset.change(changeset, %{is_admin: true})
end

This way in each places, where setting that flag should indeed be possible it has to be done explicitly, independent to any changeset/2 functions/params.

benwilson512

benwilson512

Author of Craft GraphQL APIs in Elixir with Absinthe

One person’s duplication is another’s de-coupling. :slight_smile:

griffinbyatt

griffinbyatt

I’ll comment with some of my thoughts a bit later when I have some more time. Until then, I wanted to say thanks for posting, and I’m happy to answer questions about the content if anyone has any!

griffinbyatt

griffinbyatt

The nice thing about most of the vulnerabilities I talked about is that Phoenix does a good job of pushing you in the right direction, so there often aren’t too many ways to make mistakes. This means that 1) Once you are aware of the issues, they become much easier to avoid, and 2) A lot of these issues are easy to detect in an automated fashion, so a tool like Sobelow can simply/reliably help you avoid them.

That leaves “logical” issues like session/auth handling and “mass assignment” type vulns. These tend to be less Phoenix-specific, and are common across applications. Mass Assignment vulnerabilities are a pretty classic Rails issue, and have been fairly highly publicized, but the Rails community still has issues with it. It’s a pretty hard thing to mitigate.

I think part of the problem people have w/ the changeset functionality is that, because the changeset function is generated for you (and because it’s called “changeset”), the changeset function feels very “official” and safe.

^^ This is definitely a solid way to start dealing with sensitive fields! Another is to have a bunch of unique, very explicit changesets. E.g. registration_changeset, admin_changeset.

Also, when possible, explicitly passing params is a good move. For example, something like:

User.registration_changeset(%{email: email, username: username})

People tend to like this recommendation less b/c it can cause a lot of duplication. But I like it, because even if something unfortunate changes w/in the changeset function, you’re still safe :stuck_out_tongue:

michalmuskala

michalmuskala

You would define multiple changeset functions in that case. In general, in ecto, almost no configuration or validation is “global”. There is nothing special in the function called changeset/2.

I’m sorry, but I really don’t see a problem this is trying to solve. It’s, of course, different if you don’t use ecto, but if you do, I can’t see an advantage this offers.

Where Next?

Popular in Talks Top

AstonJ
Just starting to go up - here's the first three: By @lpil By @Crowdhailer By Evadne Wu (Why aren't you a member Evadne :p)
New
axelson
ElixirConf 2017 - The Power of Zero - Andrew Forward Automation is hard, but the benefits can be phenomenal....
New
axelson
ElixirConf 2017 - Streaming Video with Elixir - @johnwahba Running a video stream is challenging. You can’t ...
New
ElixirConf
ElixirConf: ElixirConf 2023 - Charlie Holtz - Building AI Apps with Elixir Comments welcome! View the <span class="hashtag-icon-placehol...
New
AstonJ
File uploads are an essential part of many web applications, but often handling them can be tricky, which explains why they are one of th...
New
New
axelson
ElixirConf 2017 - Live APIs with GraphQL Subscriptions - @bruce and @benwilson512 APIs have gone live with G...
New
CodeSync
Introducing Phoenix Sync - James Arthur | ElixirConf EU 2025 | ElixirConf EU 2025 Comments welcome! View the <span class...
New
CodeSync
Code Sync: Keynote: Gang of None? Design Patterns in Elixir - José Valim | ElixirConf EU 2024 Comments welcome! View the <span class="ha...
New
TwistingTwists
I am in middle of watching this. I have to stop every minute and think over what Chris just said. The amount of info he sends over that ...
New

Other popular topics Top

JakeBecker
TL;DR: I’ve just released an implementation of Microsoft’s IDE-independent Language Server Protocol for Elixir. It adds language support ...
1140 51847 244
New
yawaramin
In the Dialyzer docs ( http://erlang.org/doc/man/dialyzer.html#requesting-or-suppressing-warnings-in-source-files ), there is a way to tu...
New
ycv005
I have followed this StackOverflow post to install the specific version of Erlang. And When I am running mix ecto.setup then getting fol...
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod -- where is this set? Thanks.
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
rms.mrcs
Hi, I need to transform a list of numbers into a map where the keys are the indexes and the values are the original values of the list....
New
Patoshizzle
After calling mix ecto.create I get this error: 17:00:32.162 [error] GenServer #PID&lt;0.412.0&gt; terminating ** (Postgrex.Error) FATAL...
New
lucidguppy
I have a super simple question about elixir - how would I take a file like this foo bar baz and output a new file that enumerates th...
New
joeerl
Hello again - after a longish gap I’ve decided I really must dig into Elixir and see what’s been happening here - so I have a few questio...
New

We're in Beta

About us Mission Statement