defmodule Sobelow.RCE.CodeModule do
@moduledoc """
# Code Execution in `eval` function
Arbitrary strings passed to the `Code.eval_*` functions can be
executed as malicious code.
Ensure the the code passed to the function is not user-controlled
or remove the function call completely.
Read more about Elixir RCE here:
https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/sandboxing
Code Execution checks can be ignored with the following command:
$ mix sobelow -i RCE.CodeModule
"""
@uid 15
@finding_type "RCE.CodeModule: Code execution in eval function"
use Sobelow.Finding
@code_funs [:eval_string, :eval_file, :eval_quoted]
def run(fun, meta_file) do
confidence = if !meta_file.is_controller?, do: :low
Enum.each(@code_funs, fn code_fun ->
"RCE.CodeModule: Code Execution in `Code.#{code_fun}`"
|> Finding.init(meta_file.filename, confidence)
|> Finding.multi_from_def(fun, parse_def(fun, code_fun))
|> Enum.each(&Print.add_finding(&1))
end)
end
def parse_def(fun, code_fun) do
Parse.get_fun_vars_and_meta(fun, 0, code_fun, [:Code])
end
end