OeditusCredo.Check.Security.UnsafeDeserialization (OeditusCredo v0.6.3)

View Source

Basics

This check is disabled by default.

Learn how to enable it via .credo.exs.

This check has a base priority of higher and works with any version of Elixir.

Explanation

Detects potential unsafe deserialization vulnerabilities (CWE-502).

Deserializing untrusted binary data can execute malicious payloads or construct dangerous terms.

Bad:

:erlang.binary_to_term(data)
Plug.Crypto.non_executable_binary_to_term(data)

Better:

:erlang.binary_to_term(data, [:safe])
# Validate and authenticate payload origin before deserialization

Check-Specific Parameters

Use the following parameters to configure this check:

:exclude_test_files

Set to true to skip test files (default: false)

This parameter defaults to nil.

General Parameters

Like with all checks, general params can be applied.

Parameters can be configured via the .credo.exs config file.