Add Sensitive Data Exposure Section (#51)

stilwellc · web-flow · commit de6954dae5dd · 2023-02-17T12:04:03.000-08:00
diff --git a/modules/5-elixir.livemd b/modules/5-elixir.livemd
@@ -17,6 +17,7 @@ But even the dullest blades can hurt someone! This module goes over Elixir speci
 * [Untrusted Code](#untrusted-code)
 * [Timing Attacks](#timing-attacks)
 * [Boolean Coercion](#boolean-coercion)
+* [Sensitive Data Exposure](#sensitive-data-exposure)
 
 ## Atom Exhaustion
 
@@ -219,4 +220,68 @@ user_input = "some_string_which_obviously_isnt_the_same_as_the_password"
 # if SecurityCheck.validate(user_input, password) || raise(SecurityCheck) do :you_let_a_baddie_in end
 ```
 
+## Sensitive Data Exposure
+
+### Description
+
+Sensitive data is any information that should be out of reach from all outsiders unless they have permission to access it, which in most cases would be considered "confidential data". Some examples of sensitive data are PHI (Protected Health Information) or PII (Personally Identifiable Information).
+
+While it's obvious that we don't want data of this nature to get exposed, let's walk through some of the common instances in which it _can_ occur while using Elixir and how to prevent it from happening!
+
+### Prevention
+
+## Wrapping
+
+Exceptions may result in console or log output that includes a stack trace. Mostly a stack trace shows the module/function/arity and the filename/line where the exception occurred, but for the function at the top of the stack the actual list of arguments may be included instead of the function arity.
+
+To prevent sensitive data from leaking in a stack trace, the value may be wrapped in a closure: a zero-arity anonymous function. The inner value can be easily unwrapped where it is needed by invoking the function. If an error occurs and function arguments are written to the console or a log, it is shown as `#Fun<...>` or `#Function<...>`. 
+
+Secrets wrapped in a closure are also safe from introspection using [Observer](https://elixir-lang.org/getting-started/debugging.html#observer) and from being written to crash dumps.
+
+### <span style="color:blue;">Example</span>
+
+```elixir
+wrapped_secret = fn -> System.get_env("SECRET") end
+```
+
+## Stacktrace Pruning
+
+Another approach, useful in functions that call the standard library (e.g. crypto) or other functions that do not support wrapping secrets in a closure, is stripping argument values from the stack trace when an exception occurs. This can be done by wrapping the function call(s) in a try … catch expression (Erlang) or adding a rescue clause to a function body (Elixir), and stripping the function arguments before re-raising the exception
+
+### <span style="color:blue;">Example</span>
+
+```elixir
+def encrypt_with_secret(message, wrapped_secret) do
+  ComeCryptoLib.encrypt(message, wrapped_secret.())
+rescue
+  e -> reraise e, prune_stacktrace(System.stacktrace())
+end
+
+defp prune_stacktrace([{mod, fun, [_ | _] = args, info} | rest]),
+  do: [{mod, fun, length(args), info} | rest]
+
+defp prune_stacktrace(stacktrace), do: stacktrace
+```
+
+## ETS Tables
+
+[ETS tables](https://elixir-lang.org/getting-started/mix-otp/ets.html) are commonly used as a go to caching mechanism in-app. But did you know that they can be declared as private (through the use of the `:private` option when instantiating them)? 
+
+This prevents the table from being read by other processes, such as remote shell sessions. Private tables are also not visible in Observer.
+
+### <span style="color:red;">Quiz</span>
+
+**We have decided that we do not want this ETS table to be read from other processes, so try making it private:**
+
+```elixir
+secret_table = :ets.new(:secret_table, [:public]) # ONLY EDIT THIS LINE
+:ets.info(secret_table)[:protection]
+```
+
+## Resource
+
+1. https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/sensitive_data.html
+
+
+
 [**<- Previous Module: GraphQL Security**](./4-graphql.livemd) || [**Next Module: Cookie Security ->**](./6-cookies.livemd)
