GuardAPI Logo
GuardAPI
Automated Security Protocol

How to fix Logic Flow Bypass
in Plug

Executive Summary

In Elixir's Plug-based applications, logic flow bypasses typically manifest when a plug performs a security check and identifies a failure, but fails to stop the execution pipeline. Unlike some frameworks where returning an error response terminates the request, Plug requires an explicit signal to stop downstream processing. Without this signal, the request continues to subsequent plugs and eventually hits the controller action, even if a 403 or 401 status was already sent.

The Vulnerable Pattern

VULNERABLE CODE
defmodule MyApp.AuthPlug do
  import Plug.Conn

def init(opts), do: opts


def call(conn, _opts) do
case get_req_header(conn, “authorization”) do
[“Bearer ” <> token] when token == “valid_token” ->
conn
_ ->
# VULNERABILITY: Response is sent, but the pipeline is NOT halted.
# Downstream plugs and controller actions will still execute.
conn
|> send_resp(401, “Unauthorized”)
end
end
end

The Secure Implementation

The critical fix is the use of `Plug.Conn.halt/1`. In Plug, the connection struct (`conn`) is passed through a series of functions. Sending a response via `send_resp/3` only sets the response body and status; it does not stop the function chain. By calling `halt(conn)`, you set the `:halted` field of the struct to `true`. The `Plug.Builder` pipeline check this field after every plug execution; if it's true, it stops the request from reaching any further logic. Always ensure that every branch of your security logic that results in an error response also invokes `halt()`.

SECURE CODE
defmodule MyApp.AuthPlug do
  import Plug.Conn

def init(opts), do: opts


def call(conn, _opts) do
case get_req_header(conn, “authorization”) do
[“Bearer ” <> token] when token == “valid_token” ->
conn
_ ->
# FIX: halt(conn) prevents further execution of the pipeline.
conn
|> send_resp(401, “Unauthorized”)
|> halt()
end
end
end

System Alert • ID: 4429
Target: Plug API
Potential Vulnerability

Your Plug API might be exposed to Logic Flow Bypass

74% of Plug apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X