Skip to main content

Insecure Use of Language/Framework API

Why is this important?

Elixir, like any other programming language, has powerful or security related APIs. If these APIs are not used properly, it can have a catastrophic impact on your app.

Insecure Use of binary_to_term

If user input is passed to Erlang's binary_to_term function it may result in memory exhaustion or code execution. Even with the :safe option, binary_to_term will deserialize functions, and shouldn't be considered safe to use with untrusted input.

Fixing Insecure Use of binary_to_term

Option A: Avoid user input in binary_to_term

  1. Go through the issues that GuardRails identified in the PR

  2. Identify the following patterns:

    def index(conn, %{"test" => test}) do
    :erlang.binary_to_term(test)
    end
  3. Where possible, avoid the function entirely, or only allow certain allowed user-input.

    def index(conn, %{"test" => test}) do
    :erlang.binary_to_term(test, [safe])
    end
  4. Test it and ensure the functionality works as expected

  5. Ship it 🚢 and relax 🌴

More information