Elixir/Phoenix security considerations?

I’m learning Elixir and Phoenix now and really like it so far. However I started thinking of security.

What is the history of 0day-exploits for Phoenix (and Elixir) running on bandit or cowboy in production? Is it considered safe? Would it be a good/bad idea to introduce nginx as a reverse proxy? Any common pitfalls for a new developer where you can introduce weak points in your web-applications?

When searching on Google the only real thing I found was “:erlang.binary_to_term” which could be exploited. Is this something to worry about if you’re not using it explicitly in your code (but maybe the Phoenix framework uses it internally?).

I also found www.paraxial.io, which I guess is a paid service to find/prevent security issues in Elixir/Phoenix-applications. Maybe that could be a solution if you’re creating a commercial product, which I’m not doing at the moment.

3 Likes

You may want to check Sobelow which is open source and I think Paraxial is using it as a base. This is only static code analysis, of course.

8 Likes

The website of the EEF Security WG is also quite a good resource: EEF Security WG | Documentation, specifications and code from the Security Working Group of the Erlang Ecosystem Foundation

9 Likes

What is the history of 0day-exploits for Phoenix (and Elixir) running on bandit or cowboy in production?

None, the closest that we have ever seen to that was a RCE in the paginator library (not installed by default) - Remote Code Execution in paginator · CVE-2020-15150 · GitHub Advisory Database · GitHub

Is it considered safe?

Yes! Elixir is (Still) Safe

Would it be a good/bad idea to introduce nginx as a reverse proxy?

It depends on your needs. From a security perspective you can do rate limiting at the Nginx layer or the Elixir app layer, I prefer in the Elixir app because it reduces complexity.

When searching on Google the only real thing I found was “:erlang.binary_to_term” which could be exploited. Is this something to worry about if you’re not using it explicitly in your code (but maybe the Phoenix framework uses it internally?).

I’ve checked the Phoenix framework for this, they use the safe version. I’ve pentested several Elixir apps and have not found an instance of it “in the wild” yet, so not very common.

I also found www.paraxial.io, which I guess is a paid service to find/prevent security issues in Elixir/Phoenix-applications. Maybe that could be a solution if you’re creating a commercial product, which I’m not doing at the moment.

Use the free tier! You get a limited number of scans per month, if your project is non-commercial you’re good to stay on the free tier. (I am the founder of Paraxial.io)

7 Likes