logo

Database

Elixir Untrusted Data Deserialization

Description

This vulnerability detector identifies unsafe deserialization of untrusted data in Elixir applications. When user-controlled input is deserialized without proper validation or safe options, it can lead to remote code execution, data manipulation, or denial of service attacks.

Weakness:

003 - Symmetric denial of service

Category: Functionality Abuse

Detection Strategy

    Identifies calls to known Elixir deserialization functions (such as :erlang.binary_to_term, Erlang.term_to_binary, or similar serialization sinks)

    Checks if the data being deserialized originates from user input sources (HTTP parameters, form data, external APIs, etc.)

    Verifies that safe deserialization options are not configured (missing [:safe] option or equivalent safety mechanisms)

    For piped function calls, analyzes the left-hand side of the pipe as the payload source

    For regular function calls, examines the first argument as payload and second argument as options

    Reports vulnerability when untrusted data flows into deserialization functions without proper safety controls

Vulnerable code example

defmodule VulnerableApp do
  import Plug.Conn

  def handle_request(conn) do
    payload = conn.params["data"]
    
    term = :erlang.binary_to_term(payload)  # Deserializes untrusted input
    ...

✅ Secure code example

defmodule VulnerableApp do
  import Plug.Conn

  def handle_request(conn) do
    payload = conn.params["data"]
    
    term = :erlang.binary_to_term(payload, [:safe])  # Use :safe option to prevent atom creation
    ...