Improper Dependency Pinning - Elixir

Need

Prevent installation of unsupported or vulnerable dependencies.

Context

1. Usage of Elixir (v1.11+) for building scalable and concurrent applications
2. Usage of Mix for managing assets in Laravel

Description

Insecure Code Example

defp deps do
  [
    {:plug, ">= 1.0.0"},
    {:cowboy, "~> 2.1"}
  ]
end

This code can be vulnerable as it specifies a minimum version for 'plug', which means any version higher than 1.0.0 could be installed, including potentially incompatible or vulnerable versions. The cowboy dependency uses a version range which could potentially install a version with known vulnerabilities.

Steps

1. Specify the exact versions of the dependencies.
2. Regularly update the dependencies and thoroughly test the application after updates.

Secure Code Example

defp deps do
  [
    {:plug, "1.12.1"},
    {:cowboy, "2.8.0"}
  ]
end

This code is safer as it specifies the exact versions of the dependencies to be used. This ensures that known, compatible versions are installed, reducing the risk of installing incompatible or vulnerable dependencies.

References

Last updated

2023/09/18