Hoplon - screening your hex dependencies for hidden code

A while back, inspired by the “I’m harvesting credit card numbers and passwords from your site - here’s how” article, I started working on a tool that addresses the problem highlighted in the article, but for the Elixir ecosystem - hoplon. This Wednesday I presented the for the first time at the Elixir London Meetup and figured it was ready to be shared on the Elixir Forum :wink:

hoplon logo

The basic idea is that when using external libraries we usually assume their hex packages contain exactly the code that is in their Github repos, while there’s no real guarantees that that would be the case. While that’s not necessarily a problem with hobby projects, it becomes a real vulnerability if you use third-party libraries in production projects that handle user data - we’re adopting it where I work as we speak :slight_smile:

Take a look at the project and suffixer - the example project that uses it. I’d love to know your feedback. If you prefer to talk in real-time, I created #hoplon on the Elixir Slack, but the turnaround from my end might still be a bit slow on weekdays.

The slides from the presentation are available HERE, the recording should be available within a week or 2 as well.

Disclaimer: while I am planning to implement the missing features rather sooner than later, I think I’m going to take the next couple of weeks to tidy up the code - I’ve been rushing to get it ready for the meetup and it isn’t really up to my usual standards. Feel free to report issues/suggestions regardless.

9 Likes