OeditusCredo.Check.Security.CodeInjection
(OeditusCredo v0.6.0)
View Source
Basics
This check is disabled by default.
Learn how to enable it via .credo.exs.
This check has a base priority of higher and works with any version of Elixir.
Explanation
Detects potential code injection vulnerabilities (CWE-94).
Functions like Code.eval_string/1, Code.eval_quoted/1, and
Code.eval_file/1 can execute arbitrary code and should be avoided,
especially with user-controlled input.
Bad:
Code.eval_string(user_input)
Code.eval_quoted(ast_from_user)
Code.eval_file(params["file"])Good:
# Use pattern matching, parsers, or safe DSLs instead of eval
Jason.decode!(json_input)Check-Specific Parameters
Use the following parameters to configure this check:
:exclude_test_files
Set to true to skip test files (default: false)
This parameter defaults to nil.
:extra_dangerous_functions
Additional Code.* function atoms to flag (default: [])
This parameter defaults to nil.
General Parameters
Like with all checks, general params can be applied.
Parameters can be configured via the .credo.exs config file.