Packages
sobelow
0.13.0
0.14.1
0.14.0
0.13.0
0.12.2
0.12.1
0.12.0
0.11.1
0.11.0
0.10.6
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.0
0.7.8
0.7.7
0.7.6
0.7.5
0.7.4
0.7.3
0.7.2
0.7.1
0.7.0
0.6.9
0.6.8
0.6.7
0.6.6
0.6.5
0.6.4
0.6.3
0.6.2
0.6.1
0.6.0
0.5.4
0.5.3
0.5.2
0.5.1
0.5.0
0.4.9
0.4.8
0.4.7
0.4.6
0.4.5
0.4.4
0.4.3
0.4.2
0.4.1
0.4.0
0.3.12
0.3.11
0.3.10
0.3.9
0.3.8
0.3.7
0.3.6
0.3.5
0.3.4
0.3.3
0.3.2
0.3.1
0.3.0
0.2.8
0.2.7
0.2.6
0.2.5
0.2.4
0.2.3
Security-focused static analysis for Elixir & the Phoenix framework
Current section
Files
Jump to
Current section
Files
lib/sobelow/dos/string_to_atom.ex
defmodule Sobelow.DOS.StringToAtom do
@moduledoc """
# Denial of Service via `String.to_atom`
In Elixir, atoms are not garbage collected. As such, if user input
is passed to the `String.to_atom` function, it may result in memory
exhaustion. Prefer the `String.to_existing_atom` function for untrusted
user input.
`String.to_atom` checks can be ignored with the following command:
$ mix sobelow -i DOS.StringToAtom
"""
@uid 13
@finding_type "DOS.StringToAtom: Unsafe `String.to_atom`"
use Sobelow.Finding
def run(fun, meta_file) do
confidence = if !meta_file.is_controller?, do: :low
Finding.init(@finding_type, meta_file.filename, confidence)
|> Finding.multi_from_def(fun, parse_def(fun))
|> Enum.each(&Print.add_finding(&1))
end
def parse_def(fun) do
Parse.get_fun_vars_and_meta(fun, 0, :to_atom, [:String])
end
end