Hi there this is the first Elixir-question I post in this forum : )
Is it possible to get a list of all the modules called by a specific module? Lets say I have a module ‘Example.Helper’ and I want to know if this module calls the elixir ‘Code’-Module. Is it possible to do something like Enum.member?(get_all_modules_called(Example.Helper), Code) ?
The background is that I have a backend where the user can push his Elixir modules. The backend compiles and loads the modules. The backend then runs user requests on these modules.
The reason I want to check all called modules by these user modules is that I want to make sure that no harmful code is executed on the backend.
I think mix xref graph comes close[quote=“JeyHey, post:1, topic:8278”]
The reason I want to check all called modules by these user modules is that I want to make sure that no harmful code is executed on the backend.
[/quote]
You can’t!
There is a tool called Xref, which is in fact able to check for static dependencies between modules, but still it will brake as soon as Kernel.apply/3 comes to the mix.
If you import foreign modules into your node your system you have to fully trust them.
You can of course provide a more restrictive DSL which you compile to BEAM modules on your end and which lack the dangerous functionality but this DSL have to be well thought through to not introduce new dangers.
Importing code is always dangerous, you do have to trust them. When calling a module you lose control. Another way is not to have them compile their code but to interpret it, maybe through a DSL, which gives you much better control, but yes, it is slower.
Thank you for your feedback. A DSL would be difficult to come up with. Maybe a combination of xref and lexical scan of the file to prevent all Kernel.apply calls would be a solution. For the moment I think the easiest is to make sure to isolate the backend from all other services.
Do yourself a favor, and do it the right way from the start!
If you do it the quick, easy and dirty way now, you wont fix that issue before its too late and already costs you a lot of money because someone bypassed your shallow security measures.
