Insecure Use of Language/Framework API

Why is this important?

Elixir, like any other programming language, has powerful or security related APIs. If these APIs are not used properly, it can have a catastrophic impact on your app.

Insecure Use of binary_to_term

If user input is passed to Erlang's binary_to_term function it may result in memory exhaustion or code execution. Even with the :safe option, binary_to_term will deserialize functions, and shouldn't be considered safe to use with untrusted input.

Fixing Insecure Use of binary_to_term

Option A: Avoid user input in binary_to_term

Go through the issues that GuardRails identified in the PR.
Identify the following patterns:

def index(conn, %{"test" => test}) do
  :erlang.binary_to_term(test)
end

Where possible, avoid the function entirely, or only allow certain allowed user-input.

def index(conn, %{"test" => test}) do
  :erlang.binary_to_term(test, [safe])
end

Test it and ensure the functionality works as expected
Ship it 🚢 and relax 🌴

More information

binary_to_term(1)
binary_to_term(2)
How to destroy your application using :erlang.binary_to_term/1

GuardRails

General

Apex

C/C++

Dotnet

Elixir

Go

Java

Javascript/TypeScript

Kubernetes

PHP

Python

Ruby

Rust

Solidity

Terraform