johmue

johmue

Failing String.to_integer/1 due to malicious requests

When working on Phoenix projects I sometimes need to take integers as a string as user input from HTTP requests. When I use String.to_integer/1 to get the integer values, an attacker could easily craft a request that makes String.to_integer/1 raise an exception and thus crash the Erlang process.

Question: Is this failing String.to_integer/1 a security issue? Or does will only make the concerning Erlang process crash without further damage? What do I have to look after?

Marked As Solved

Nicd

Nicd

Answering your direct question about security issues, then by itself it’s not a security issue. Phoenix will reply with a 500 error to the user which is not good UX, but assuming you’re in prod mode, it won’t leak any details. The memory of the process will be garbage collected and the system stability won’t be affected.

Now where it can be an issue is if your system relies on the process to do something security related and it crashes in the middle of that, leaving side effects or leaving something undone. Usually you’d use DB transactions to prevent issues from such matters but maybe you’re also talking to external systems, handling files, etc., where it’s not that simple. Only you can spot those dangerous places in your application.

Also Liked

eksperimental

eksperimental

From the docs:

https://hexdocs.pm/elixir/String.html#to_integer/1

If you want to parse a string that may contain an ill-formatted integer, use Integer.parse/1.

kokolegorille

kokolegorille

You might use guard clause to avoid this kind of error, no need to let it crash.

You might also use changeset to validate outside data, which is probably the cleanest way.

Another solution is to use Integer.parse, when there is a chance String.to_integer will fail.

Never trust user data :slight_smile:

trisolaran

trisolaran

IMO, and in the specific context of web applications, an invalid input should NEVER make your process crash (thus resulting in a 500 error). Instead, it should always be handled by the application and trigger a 400 or 422 response.

Where Next?

Popular in Questions Top

siddhant3030
Hi, I have to write a raw query for one of my project. But till now I have used ecto queries and don’t have much experience writing raw ...
New
skosch
To my knowledge, put_in, Map.update etc. all have the one limitation of not automatically creating intermediate keys when needed (for exa...
New
JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
Brian
What is the proper way to load a module from a file in to IEX? In the python world, doing something like this pretty standard: from ....
New
hariharasudhan94
I would like to know what is the best IDE for elixir development?
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New
svb
Hi! Currently I want to submit a form by pressing the Enter key. However, since my input field is of type “textarea” this is just adds a...
New
vonH
In asking this question I am more interested about the expressiveness of the language itself and less concerned about the availability of...
New

Other popular topics Top

danschultzer
None of the current solutions worked well for me, so I went ahead and built a user management system from scratch. This project took far...
548 29377 241
New
lastday4you
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
Nvim
Anybody knows a comprehensive comparison of Django and Phoenix, thanks for the help. Where are they similar? Where do they differ the m...
New
electic
Hi, I am new to Elixir. I am trying to use the DateTime component to insert a date into MySQL however the there seems to be no way to fo...
New
ovidiubadita
Hey all, I discovered Elixir and I love it. I always wanted to learn a functional programming and I intended to go for Haskell, but afte...
New
Brian
What is the proper way to load a module from a file in to IEX? In the python world, doing something like this pretty standard: from ....
New
hariharasudhan94
I would like to know what is the best IDE for elixir development?
New
openscript
Hello! Sorry for this astonishing simple question, but I’m really stuck. I try to set up the intellij-elixir plugin, but I don’t know ho...
New
Qqwy
Update: How to use the Blogs & Podcasts section You can post links to your blog posts or podcasts either in one of the Official Blog...
3271 126479 1222
New
AstonJ
Seen any cool LiveView demos, sample apps or examples? Please post them here! :003:
New

We're in Beta

About us Mission Statement