Details
-
Improvement
-
Status: Closed
-
Minor
-
Resolution: Won't Fix
-
None
-
None
-
None
-
New Contributors Level (Easy)
Description
I'm just adding this ticket so I don't forget about it.
It's possible to improve the safety of the native erlang view server, just by doing a simple walk of the parsed abstract form. I think all we need to do is forbid calls to functions in all external modules m:f(), except for whitelisted modules (e.g. io_lib, lists) or specific functions. We also need a whitelist of BIFs.
Some care may be needed for imported functions - check if they are already expanded to m:f() in the abstract form, or remain as f().
My main concern is preventing things like os:cmd(). There are also many possible DoS attacks, like atom exhaustion or spawning infinite numbers of processes. However, most view definitions aren't going to need spawn() or list_to_atom(). A configurable whitelist could be very tight by default, but still allow admins to allow any specific functions they need.