Lack of data validation - Type confusion

Need

Prevent misinterpretation of data types and code injection

Context

• Usage of Elixir for building scalable and fault-tolerant applications

• Usage of Plug Cowboy for building web applications in Elixir

• Usage of input validation for data validation and sanitization

• Usage of type casting for ensuring type safety in TypeScript

Description

1. Non compliant code

defmodule Vulnerable do
  def process(input) do
    {:ok, number} = Integer.parse(input)
    IO.puts(number)
  end
end

This Elixir code is vulnerable because it directly uses the user input without validating its type. This can lead to type confusion and potentially code execution.

2. Steps

• Always validate the type of data you receive from user input.

• Cast the data to the desired type before using it.

3. Secure code example

defmodule Safe do
  def process(input) do
    case Integer.parse(input) do
      :error -> IO.puts('Invalid input')
      {:ok, number} -> IO.puts(number)
    end
  end
end

This Elixir code is safe because it validates the type of the input data before using it, preventing type confusion and potential code execution.

References

• 127. Lack of data validation - Type confusion

On this page