How to fix Improper Assets Management
in Plug
Executive Summary
Improper asset management in Elixir's Plug often stems from lazy Plug.Static configurations. Mapping the project root or failing to restrict allowed file types leads to source code disclosure, secret leakage (like .env files), and configuration exposure. If your 'from' path is too broad, you're handing an attacker your entire application structure.
The Vulnerable Pattern
defmodule MyApp.Router do use Plug.RouterEXTREMELY DANGEROUS: Serves everything from the current directory
This exposes mix.exs, config/, .env, and lib/ source code.
plug Plug.Static, at: ”/”, from: ”.”
plug :match plug :dispatch end
The Secure Implementation
To fix asset mismanagement, apply the Principle of Least Privilege to file serving. First, never serve from the root ('.'); use the OTP-compliant '{:app_name, "priv/static"}' pattern. Second, implement the 'only' option to create a strict whitelist of assets; this prevents attackers from accessing sensitive files like .git or config.exs even if they exist in the static folder. Third, mount assets on a specific sub-path like '/assets' to avoid shadowing dynamic application routes.
defmodule MyApp.Router do use Plug.RouterSECURE: Isolated directory with explicit whitelisting
1. Scope to a dedicated static directory
2. Use the ‘only’ option to whitelist specific extensions/folders
plug Plug.Static, at: “/assets”, from: {:my_app, “priv/static”}, only: ~w(css js images favicon.ico), gzip: true
plug :match plug :dispatch end
Your Plug API
might be exposed to Improper Assets Management
74% of Plug apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.