It is recommended not to use binary_to_term. what is the secure way to use it.
Since binary_to_term is Erlang API I would recommend to read :erlang module documentation:
http://erlang.org/doc/man/erlang.html#binary_to_term-2
This may help: https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/serialisation
4 Likes
For those coming from google,
NOT SAFE: :erlang.binary_to_term(user_input, [:safe])
SAFE: Plug.Crypto.non_executable_binary_to_term(user_input, [:safe])
This is extremely important if your application passes user input to binary_to_term. The $425 million Equifax breach happened due to an Apache Struts web app that was vulnerable to RCE. Java is to Struts what Ruby is to Rails and Elixir is to Phoenix.
Article with some more details about how this happened in the paginator library: Elixir/Phoenix Security: Remote Code Execution and Serialisation
4 Likes
