Elixir Erlang Command Injection
Description
This detector identifies command injection vulnerabilities in Elixir and Erlang code. It finds instances where user-controlled input can be passed to system command execution functions, allowing attackers to execute arbitrary commands on the server. This vulnerability can lead to complete system compromise, data theft, or denial of service attacks.
Detection Strategy
• The detector examines function calls and expressions in Elixir/Erlang source code to identify potentially dangerous command execution sinks
• It checks if the identified command execution function calls contain parameters that can be traced back to user-controlled input sources
• A vulnerability is reported when user input flows into command execution functions without proper sanitization or validation, creating a path for command injection attacks
Vulnerable code example
defmodule VulnerableDemo do
import Plug.Conn
def command_injection(conn) do
user_input = conn.params["cmd"]
# Vulnerable: User input executed directly via :os.cmd
:os.cmd(String.to_charlist(user_input))...✅ Secure code example
defmodule VulnerableDemo do
import Plug.Conn
def command_injection(conn) do
user_input = conn.params["cmd"]
# Safe: Only execute predefined commands via allowlist
command = case user_input do...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.