Basics
This check is disabled by default.
Learn how to enable it via .credo.exs.
This check has a base priority of high and works with any version of Elixir.
Explanation
Creating atoms from environment variables dynamically is a potentially unsafe because atoms are not garbage-collected by the runtime.
Enviable functions that convert to atoms or modules should use the :allowed
option to restrict which atoms can be created:
Enviable.get_env_as_atom("VAR", allowed: [:foo, :bar])
Enviable.fetch_env_as_module!("MODULE", allowed: [MyApp.Foo, MyApp.Bar])Or use the safe variants that only work with existing atoms:
Enviable.get_env_as_safe_atom("VAR")
Enviable.fetch_env_as_safe_module("MODULE")This also applies to generic conversion functions and encoded types:
# Unsafe
Enviable.get_env_as("VAR", :atom)
Enviable.get_env_as("VAR", {:base64, :module})
Enviable.get_env_as_list("ITEMS", as: :atom)
# Safe alternatives
Enviable.get_env_as("VAR", :safe_atom)
Enviable.get_env_as("VAR", {:base64, :safe_module})
Enviable.get_env_as_list("ITEMS", as: :safe_atom)When using import Enviable, the check applies to bare function calls:
import Enviable
# Unsafe
get_env_as_atom("VAR")
fetch_env_as_list!("ITEMS", as: :module)
# Safe
get_env_as_safe_atom("VAR")
fetch_env_as_list!("ITEMS", as: :safe_module)This check can be configured to always warn even when using the :allowed
option:
{Enviable.Credo.UnsafeAtom, permit_with_allowed: false}Check-Specific Parameters
Use the following parameters to configure this check:
:permit_with_allowed
Allow unsafe functions if :allowed option is present
This parameter defaults to true.
General Parameters
Like with all checks, general params can be applied.
Parameters can be configured via the .credo.exs config file.