Lack of data validation - Type confusion - Elixir

Need

Prevent misinterpretation of data types and code injection

Context

1. Usage of Elixir for building scalable and fault-tolerant applications
2. Usage of Plug Cowboy for building web applications in Elixir
3. Usage of input validation for data validation and sanitization
4. Usage of type casting for ensuring type safety in TypeScript

Description

Insecure Code Example

defmodule Vulnerable do
  def process(input) do
    {:ok, number} = Integer.parse(input)
    IO.puts(number)
  end
end

This Elixir code is vulnerable because it directly uses the user input without validating its type. This can lead to type confusion and potentially code execution.

Steps

1. Always validate the type of data you receive from user input.
2. Cast the data to the desired type before using it.

Secure Code Example

defmodule Safe do
  def process(input) do
    case Integer.parse(input) do
      :error -> IO.puts('Invalid input')
      {:ok, number} -> IO.puts(number)
    end
  end
end

This Elixir code is safe because it validates the type of the input data before using it, preventing type confusion and potential code execution.

References

Last updated

2023/09/18