johmue

johmue

Failing String.to_integer/1 due to malicious requests

When working on Phoenix projects I sometimes need to take integers as a string as user input from HTTP requests. When I use String.to_integer/1 to get the integer values, an attacker could easily craft a request that makes String.to_integer/1 raise an exception and thus crash the Erlang process.

Question: Is this failing String.to_integer/1 a security issue? Or does will only make the concerning Erlang process crash without further damage? What do I have to look after?

Marked As Solved

Nicd

Nicd

Answering your direct question about security issues, then by itself it’s not a security issue. Phoenix will reply with a 500 error to the user which is not good UX, but assuming you’re in prod mode, it won’t leak any details. The memory of the process will be garbage collected and the system stability won’t be affected.

Now where it can be an issue is if your system relies on the process to do something security related and it crashes in the middle of that, leaving side effects or leaving something undone. Usually you’d use DB transactions to prevent issues from such matters but maybe you’re also talking to external systems, handling files, etc., where it’s not that simple. Only you can spot those dangerous places in your application.

Also Liked

eksperimental

eksperimental

From the docs:

https://hexdocs.pm/elixir/String.html#to_integer/1

If you want to parse a string that may contain an ill-formatted integer, use Integer.parse/1.

kokolegorille

kokolegorille

You might use guard clause to avoid this kind of error, no need to let it crash.

You might also use changeset to validate outside data, which is probably the cleanest way.

Another solution is to use Integer.parse, when there is a chance String.to_integer will fail.

Never trust user data :slight_smile:

trisolaran

trisolaran

IMO, and in the specific context of web applications, an invalid input should NEVER make your process crash (thus resulting in a 500 error). Instead, it should always be handled by the application and trigger a 400 or 422 response.

Where Next?

Popular in Questions Top

aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
vertexbuffer
Hello, can anybody help here..? I have a list of players and I what to delete an element, but every for loop the list is reverting to ori...
New
New
tduccuong
Hi, is there any work on GUI with Elixir, that is similar to Electron/Javascript? My idea is to bundle Phoenix and BEAM into a single se...
New
LegitStack
I’m trying to make a websocket server in Phoenix or raw Elixir. I heard about gun, I think I could use cowboy, but since I’m not that sma...
New
JDanielMartinez
Hi! May someone helps me, please! I have two apps into an umbrella project: the first one is Database, which manages queries, and the se...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
PeterCarter
There are pre-rolled solutions for other frameworks that do work. However, Phoenix does not seem to have these. Have people had good expe...
New
jononomo
For some reason my phoenix channels are working for me in my local dev environment, but as soon as I deploy via Docker, I get a 403 error...
New
lanycrost
Hi everyone! I need implement if…else if…else condition from my elixir code, and anymore of this control flow structures not work proper...
New

Other popular topics Top

vertexbuffer
Hello, can anybody help here..? I have a list of players and I what to delete an element, but every for loop the list is reverting to ori...
New
Fl4m3Ph03n1x
About me? ( if you have nothing better to do than reading about some random guy in the internet :stuck_out_tongue: ) Hello all, this is ...
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
vonH
When I run the Plug and I recompile I wind up having to use Ctrl C to quit iex and start again. Witht the help of rlwrap I can use the cu...
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New
openscript
Hello! Sorry for this astonishing simple question, but I’m really stuck. I try to set up the intellij-elixir plugin, but I don’t know ho...
New
dogweather
I wrote this comment on r/haskell, and it’s not popular there. :wink: But I think I’m on to something… Haskell reminds me of Java, and e...
New
hariharasudhan94
Lets say I have map like this fetching from my database %{"_id" => #BSON.ObjectId<58eb1a7a9ad169198c3dXXXX>, "email" => ...
New
svb
Hi! Currently I want to submit a form by pressing the Enter key. However, since my input field is of type “textarea” this is just adds a...
New

We're in Beta

About us Mission Statement