johmue
Failing String.to_integer/1 due to malicious requests
When working on Phoenix projects I sometimes need to take integers as a string as user input from HTTP requests. When I use String.to_integer/1 to get the integer values, an attacker could easily craft a request that makes String.to_integer/1 raise an exception and thus crash the Erlang process.
Question: Is this failing String.to_integer/1 a security issue? Or does will only make the concerning Erlang process crash without further damage? What do I have to look after?
Marked As Solved
Nicd
Answering your direct question about security issues, then by itself it’s not a security issue. Phoenix will reply with a 500 error to the user which is not good UX, but assuming you’re in prod mode, it won’t leak any details. The memory of the process will be garbage collected and the system stability won’t be affected.
Now where it can be an issue is if your system relies on the process to do something security related and it crashes in the middle of that, leaving side effects or leaving something undone. Usually you’d use DB transactions to prevent issues from such matters but maybe you’re also talking to external systems, handling files, etc., where it’s not that simple. Only you can spot those dangerous places in your application.
Also Liked
eksperimental
From the docs:
https://hexdocs.pm/elixir/String.html#to_integer/1
If you want to parse a string that may contain an ill-formatted integer, use
Integer.parse/1.
kokolegorille
You might use guard clause to avoid this kind of error, no need to let it crash.
You might also use changeset to validate outside data, which is probably the cleanest way.
Another solution is to use Integer.parse, when there is a chance String.to_integer will fail.
Never trust user data ![]()
trisolaran
IMO, and in the specific context of web applications, an invalid input should NEVER make your process crash (thus resulting in a 500 error). Instead, it should always be handled by the application and trigger a 400 or 422 response.
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








