Converting strings to atoms safely
If your elixir system accepts any outside inputs and takes any part of those outside inputs and calls String.to_atom
with the input as an argument then your elixir system is subject to a denial of service attack.
Malicious actors can submit input designed to dynamically create a large number of atoms until the atom limit is reached, knocking out your elixir applications.
Consider using String.to_existing_atom
instead. If the argument to this function cannot be converted to an existing atom then an exception will be thrown.
> String.to_existing_atom("I don't exist")
** (ArgumentError) argument error
:erlang.binary_to_existing_atom("nothere", :utf8)
> String.to_atom("I don't exist")
:"I don't exist"
> String.to_existing_atom("I don't exist")
:"I don't exist"
Tweet