zingo

zingo

Elixir/Phoenix security considerations?

I’m learning Elixir and Phoenix now and really like it so far. However I started thinking of security.

What is the history of 0day-exploits for Phoenix (and Elixir) running on bandit or cowboy in production? Is it considered safe? Would it be a good/bad idea to introduce nginx as a reverse proxy? Any common pitfalls for a new developer where you can introduce weak points in your web-applications?

When searching on Google the only real thing I found was “:erlang.binary_to_term” which could be exploited. Is this something to worry about if you’re not using it explicitly in your code (but maybe the Phoenix framework uses it internally?).

I also found www.paraxial.io, which I guess is a paid service to find/prevent security issues in Elixir/Phoenix-applications. Maybe that could be a solution if you’re creating a commercial product, which I’m not doing at the moment.

Most Liked Responses

katafrakt

katafrakt

You may want to check Sobelow which is open source and I think Paraxial is using it as a base. This is only static code analysis, of course.

realcorvus

realcorvus

What is the history of 0day-exploits for Phoenix (and Elixir) running on bandit or cowboy in production?

None, the closest that we have ever seen to that was a RCE in the paginator library (not installed by default) - Remote Code Execution in paginator · CVE-2020-15150 · GitHub Advisory Database · GitHub

Is it considered safe?

Yes! Elixir is (Still) Safe

Would it be a good/bad idea to introduce nginx as a reverse proxy?

It depends on your needs. From a security perspective you can do rate limiting at the Nginx layer or the Elixir app layer, I prefer in the Elixir app because it reduces complexity.

When searching on Google the only real thing I found was “:erlang.binary_to_term” which could be exploited. Is this something to worry about if you’re not using it explicitly in your code (but maybe the Phoenix framework uses it internally?).

I’ve checked the Phoenix framework for this, they use the safe version. I’ve pentested several Elixir apps and have not found an instance of it “in the wild” yet, so not very common.

I also found www.paraxial.io, which I guess is a paid service to find/prevent security issues in Elixir/Phoenix-applications. Maybe that could be a solution if you’re creating a commercial product, which I’m not doing at the moment.

Use the free tier! You get a limited number of scans per month, if your project is non-commercial you’re good to stay on the free tier. (I am the founder of Paraxial.io)

Where Next?

Popular in Questions Top

_russellb
I want to try my hand at web scraping. What tools/libraries do I need to use. I’m hoping to turn this into something professional so don’...
New
lessless
I believe there are people here who are dealing with CSV files import on the daily basis, and since Excel is a really popular tool there ...
New
gshaw
What is the idiomatic way of matching for not nil in Elixir? E.g., First way: defp halt_if_not_signed_in(conn, signed_in_account) when...
New
fireproofsocks
I’m working on defining a simple Ecto schema for a table (in PostGres), but I don’t see where I can define a column as NOT NULL. Conside...
New
JulienCorb
I am trying to implement my new.html.eex file to create new posts on my website. new.html.eex: <h1>Create Post</h1> <%= ...
New
dokuzbir
I want to highlight html closing tags when i click a html tag. That works in .html files but doesnt work for html.eex templates. How can...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
chensan
I have a User schema with a :from_id field set to type :string: defmodule TweetBot.Repo.Migrations.CreateUsers do use Ecto.Migration ...
New
komlanvi
Hi everyone, I was playing with phoenix liveView but I run into an issue. I have a form and want to validate each input text when the te...
New
svb
Hi! Currently I want to submit a form by pressing the Enter key. However, since my input field is of type “textarea” this is just adds a...
New

Other popular topics Top

marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
chrismccord
This release brings a number of exciting features, including integration with the new Phoenix LiveDashboard and Phoenix LiveView. There h...
New
JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
grych
Hi folks, Few months ago I have announced the proof-of-concept of the library to manipulate the browsers DOM objects directly from Elixi...
639 52341 488
New
gausby
I asked this very same question on twitter and got some interesting feedback, but I thought it would be a good question to ask here as we...
1207 39297 209
New
dblack
I’ve got an issue with an app and I’ve no idea of how to troubleshoot it. I’m hoping someone here might have seen something similar. I p...
New
jononomo
For some reason my phoenix channels are working for me in my local dev environment, but as soon as I deploy via Docker, I get a 403 error...
New
lanycrost
Hi everyone! I need implement if…else if…else condition from my elixir code, and anymore of this control flow structures not work proper...
New
vonH
In asking this question I am more interested about the expressiveness of the language itself and less concerned about the availability of...
New

We're in Beta

About us Mission Statement