daveboo

daveboo

Plain text passwords showing up in conn dump on crash

Hello, I have a problem in that my architect/cloud-ops person has informed me that plain-text passwords are showing up in the crash dump when our Phoenix requests fail for any reason. We have set the config to hide passwords, and they are being hidden when we log out to iex console, but not in the dump files.

So, my questions are:

  1. We are in dev right now, and we were wondering if we would have this same problem in production?
  2. As a recommended fix, I have been tasked with providing minimal protection (just preventing some support tech at AWS from being able to read the passwords in a dump file?), by base64 encoding passwords before sending them across the wire, and then decoding them before validating/strength-checking etc. My journey down this path has been painfully confusing to say the least, so should this even be an option?
  3. Is it possible/advisable to try to insert a server-side catch for this in the plug pipeline before writes out the conn dump for the error?

Thanks, dave

Most Liked

voltone

voltone

The EEF Security WG’s “Secure Coding and Deployment Hardening Guidelines” may have some helpful pointers: Protecting sensitive data and Crash dumps and core dumps

dom

dom

What type of dump files - Erlang crash dumps? Core dumps?

If your passwords are only used by specific processes, you can enable the sensitive process flag in them to hide the data from Erlang crash dumps. It’s documented here: erlang — OTP 29.0.2 (erts 17.0.2)

Where Next?

Popular in Questions Top

9mm
I am constructing a JSON object (map) and I need to conditionally set a field. I’m trying to write proper elixir-way code… and I’m at a l...
New
stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
itssasanka
Hi all, Trying to get some more clarity over utc_datetime and naive_datetime for Ecto: The documentation above suggests that while ...
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
Qqwy
Original source of discussion: This topic on the Pragmatic Programmers’ Functional Web Development with Elixir, OTP, and Phoenix forum. ...
New
vrod
I am using the Starship cross-shell prompt – it seems pretty nice, but I get some errors: [WARN] - (starship::utils): Executing command ...
New
nobody
Hi! In PHP: $_SERVER[‘SERVER_ADDR’] - in Elixir? Searched the docs for ip address and the web, no good results. Thanks!
New
Brian
What is the proper way to load a module from a file in to IEX? In the python world, doing something like this pretty standard: from ....
New
JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New
svb
Hi! Currently I want to submit a form by pressing the Enter key. However, since my input field is of type “textarea” this is just adds a...
New

Other popular topics Top

marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
johnnyicon
Hi all, I’ve just started learning Elixir and Phoenix Framework, so please pardon my n00bness at this stage. I’m trying to use Postgres...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
msaraiva
Surface is an experimental library built on top of Phoenix LiveView and its new LiveComponent API that aims to provide a more declarative...
564 43757 214
New
gausby
I asked this very same question on twitter and got some interesting feedback, but I thought it would be a good question to ask here as we...
1207 39467 209
New
SoCreat
i’m a new one to elixir which editor can i use vs code? or atom? Thanks! :smiley:
New
dblack
I’ve got an issue with an app and I’ve no idea of how to troubleshoot it. I’m hoping someone here might have seen something similar. I p...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
hariharasudhan94
Lets say I have map like this fetching from my database %{"_id" => #BSON.ObjectId<58eb1a7a9ad169198c3dXXXX>, "email" => ...
New
dokuzbir
I want to highlight html closing tags when i click a html tag. That works in .html files but doesnt work for html.eex templates. How can...
New

We're in Beta

About us Mission Statement