Lack of data validation - Type confusion
Need
Prevent misinterpretation of data types and code injection
Context
- Usage of Elixir for building scalable and fault-tolerant applications
- Usage of Plug Cowboy for building web applications in Elixir
- Usage of input validation for data validation and sanitization
- Usage of type casting for ensuring type safety in TypeScript
Description
Non compliant code
defmodule Vulnerable do
def process(input) do
{:ok, number} = Integer.parse(input)
IO.puts(number)
end
end
This Elixir code is vulnerable because it directly uses the user input without validating its type. This can lead to type confusion and potentially code execution.
Steps
- Always validate the type of data you receive from user input.
- Cast the data to the desired type before using it.
Compliant code
defmodule Safe do
def process(input) do
case Integer.parse(input) do
:error -> IO.puts('Invalid input')
{:ok, number} -> IO.puts(number)
end
end
end
This Elixir code is safe because it validates the type of the input data before using it, preventing type confusion and potential code execution.