Need

Prevent misinterpretation of data types and code injection

Context

• Usage of Elixir for building scalable and fault-tolerant applications
• Usage of Plug Cowboy for building web applications in Elixir
• Usage of input validation for data validation and sanitization
• Usage of type casting for ensuring type safety in TypeScript

Description

Non compliant code

        defmodule Vulnerable do
  def process(input) do
    {:ok, number} = Integer.parse(input)
    IO.puts(number)
  end
end
        
        

This Elixir code is vulnerable because it directly uses the user input without validating its type. This can lead to type confusion and potentially code execution.

Steps

• Always validate the type of data you receive from user input.
• Cast the data to the desired type before using it.

Compliant code

        defmodule Safe do
  def process(input) do
    case Integer.parse(input) do
      :error -> IO.puts('Invalid input')
      {:ok, number} -> IO.puts(number)
    end
  end
end
        
        

This Elixir code is safe because it validates the type of the input data before using it, preventing type confusion and potential code execution.

References

• 127. Lack of data validation - Type confusion