-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a security warning to Code.eval_string #5819
Conversation
lib/elixir/lib/code.ex
Outdated
@@ -104,6 +104,10 @@ defmodule Code do | |||
The `binding` argument is a keyword list of variable bindings. | |||
The `opts` argument is a keyword list of environment options. | |||
|
|||
**Warning**: `string` is assumed to be fully trusted. If you receive strings | |||
(for example, over the network), passing them into this function can execute | |||
arbitrary code and compromise your machine. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am very 👍 to this warning. I would phrase it differently though:
string
can be any Elixir code and will be executed in the system: this means that such code could compromise the machine (for example by executing system commands). Don't useeval_string/3
with untrusted input (such as strings coming from the network).
Wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like your reworded version. But I don't really know what "executed in the system" specifically refers to - maybe "executed without any kind of sandbox" or "executed with full privileges"? Also, eval_string
instead of eval_string/3
because it applies to /1
and /2
as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe "executed without any kind of sandbox" or "executed with full privileges"
What about "executed with the same privileges of the Erlang VM"?
Also, eval_string instead of eval_string/3 because it applies to /1 and /2 as well?
We always refer to the highest arity when a function is present in different arities because of default arguments. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, updated PR
❤️ 💚 💙 💛 💜 |
This PR adds a warning to the
Code.eval_string
docs about the security consequences of evaling untrusted strings.You might think that this is obvious or unnecessary, but I've been finding serious security bugs caused by running
eval_string
on untrusted input: tonini/alchemist-server#14; msaraiva/atom-elixir#67