Lack of data validation - Type confusion

Need

Prevent misinterpretation of data types and code injection

Context

Usage of Elixir for building scalable and fault-tolerant applications
Usage of Plug Cowboy for building web applications in Elixir
Usage of input validation for data validation and sanitization
Usage of type casting for ensuring type safety in TypeScript

Description

Non compliant code

defmodule Vulnerable do
  def process(input) do
    {:ok, number} = Integer.parse(input)
    IO.puts(number)
  end
end

This Elixir code is vulnerable because it directly uses the user input without validating its type. This can lead to type confusion and potentially code execution.

Steps

Always validate the type of data you receive from user input.
Cast the data to the desired type before using it.

Compliant code

defmodule Safe do
  def process(input) do
    case Integer.parse(input) do
      :error -> IO.puts('Invalid input')
      {:ok, number} -> IO.puts(number)
    end
  end
end

This Elixir code is safe because it validates the type of the input data before using it, preventing type confusion and potential code execution.

References

127.Lack of data validation - Type confusion

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​