How To Securely Use Ecto Preload Function — Tentamen Software Testing Blog
TL;DR
Ecto library has an excellent feature called preload,it preloads the schema associations into the result set. We discuss this feature in the context of security when you have associations towards your User schema that contains security-sensitive information.
The Feature
Any Ecto query will not load associated data by default. This could cause the developer some headaches at the start, but it is a very reasonable feature. As loading associations could be very performance expensive, loading associated data choice is left to a developer.
Example
Here is an example from my Testivator.com application where we have User and Session schemas. Session belongs to User:
User schema has a lot of sensitive data, the best example is password_hash.
If we just use preload without any attributes, here is what we get:
Preload selects all attributes from the associated User schema.
Separate Schema
The first solution is to break the User schema into two schemas. One schema should associate with User schema only security attributes. But this solution requires database change, we should create and run migration file.
Preload With Query
A simpler solution is to use a query in preload the method. We select only name and email from User schema:
Remember
The security problem is when we use query results in the controller view. Doing that, User security attributes travel from server to user Browser. And those should never leave the database in the first place.
Originally published at https://blog.tentamen.eu on January 28, 2021.