It is recommended not to use binary_to_term. what is the secure way to use it.
Since binary_to_term
is Erlang
API I would recommend to read :erlang
module documentation:
http://erlang.org/doc/man/erlang.html#binary_to_term-2
This may help: https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/serialisation
For those coming from google,
NOT SAFE: :erlang.binary_to_term(user_input, [:safe])
SAFE: Plug.Crypto.non_executable_binary_to_term(user_input, [:safe])
This is extremely important if your application passes user input to binary_to_term. The $425 million Equifax breach happened due to an Apache Struts web app that was vulnerable to RCE. Java is to Struts what Ruby is to Rails and Elixir is to Phoenix.
Article with some more details about how this happened in the paginator library: Elixir/Phoenix Security: Remote Code Execution and Serialisation