OeditusCredo.Check.Security.InsecureDirectObjectReference
(OeditusCredo v0.6.3)
View Source
Basics
This check is disabled by default.
Learn how to enable it via .credo.exs.
This check has a base priority of high and works with any version of Elixir.
Explanation
Detects potential Insecure Direct Object Reference (IDOR) vulnerabilities (CWE-639).
Fetching resources by user-provided IDs without ownership or authorization checks can allow users to access other users' data.
Bad:
post = Repo.get!(Post, params["id"])Good:
post = Repo.get!(Post, params["id"])
authorize!(current_user, :read, post)Check-Specific Parameters
Use the following parameters to configure this check:
:exclude_test_files
Set to true to skip test files (default: false)
This parameter defaults to nil.
:extra_ownership_indicators
Additional ownership/authorization indicator substrings (default: [])
This parameter defaults to nil.
General Parameters
Like with all checks, general params can be applied.
Parameters can be configured via the .credo.exs config file.