Add a security warning to Code.eval_string #5819
Conversation
lib/elixir/lib/code.ex
Outdated
| @@ -104,6 +104,10 @@ defmodule Code do | |||
| The `binding` argument is a keyword list of variable bindings. | |||
| The `opts` argument is a keyword list of environment options. | |||
|
|
|||
| **Warning**: `string` is assumed to be fully trusted. If you receive strings | |||
| (for example, over the network), passing them into this function can execute | |||
| arbitrary code and compromise your machine. | |||
There was a problem hiding this comment.
I am very 👍 to this warning. I would phrase it differently though:
stringcan be any Elixir code and will be executed in the system: this means that such code could compromise the machine (for example by executing system commands). Don't useeval_string/3with untrusted input (such as strings coming from the network).
Wdyt?
There was a problem hiding this comment.
I like your reworded version. But I don't really know what "executed in the system" specifically refers to - maybe "executed without any kind of sandbox" or "executed with full privileges"? Also, eval_string instead of eval_string/3 because it applies to /1 and /2 as well?
There was a problem hiding this comment.
maybe "executed without any kind of sandbox" or "executed with full privileges"
What about "executed with the same privileges of the Erlang VM"?
Also, eval_string instead of eval_string/3 because it applies to /1 and /2 as well?
We always refer to the highest arity when a function is present in different arities because of default arguments. :)
|
❤️ 💚 💙 💛 💜 |
This PR adds a warning to the
Code.eval_stringdocs about the security consequences of evaling untrusted strings.You might think that this is obvious or unnecessary, but I've been finding serious security bugs caused by running
eval_stringon untrusted input: tonini/alchemist-server#14; msaraiva/atom-elixir#67