Safe way to mix project information

As part of my work on, I want to get the mix project information, like name, version, deps and etc, the user wants to deploy.
I want this information to be able to provide some automated deploy script for the user, like the elixir build image the project requires, and server run command after the project is deployed on the server.

I don’t want to eval the file inside my server because it opens major security risks.
My first thought was to parse the mix.exs file, but then I understand it will be hard and almost impossible to cover all the ways ppl can define it.

My second thought is to run the project inside a temporary docker container and try to get the data from it. But I want to think there is a better solution than this.

Thank you,

It will be impossible without writing Elixir interpreter.

Question is whether you want to build release on behalf of the user on your server or locally? If locally then you can read which is just Erlang consult file (however you probably need not use file:consult/1 as it can cause atom exhaustion, but parsing that file should not really be hard). This file is static, so it do not need any additional processing and should contain all information needed by you.

Yeah, I build the project on a rocker container before deploying it to the production server.

Where can I read more about this file, and where can I find it after the build?

Is this the one?

I appreciate your help :slight_smile:

1 Like