You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
iex>String.contains?("elixir of life","")trueiex>String.contains?("elixir of life",["","other"])true
So if the required_role variable was set to "", the person would magically have admin access because the String.contains?/2 check would be true!! 🤦 i.e. trivialhttps://en.wikipedia.org/wiki/Privilege_escalation
Which consume memory for each role name, but it also makes it safe.
But since atoms cannot be "empty", we mitigate the empty string attack.
How about we accept bothString and Atom for flexibility but have an immediatefalse if the String is empty?
What other security checks do we need to perform on this "potentially malicious" data?
Todo
Create a function that checks that a person has a given role
What else?
The text was updated successfully, but these errors were encountered:
I would really like to make the role checking as declarative as possible so that the code is easier to read.
e.g:
Using strings has advantages for readability and programatic use e.g. with a variable in place of the
String:However, an empty string always matches: https://hexdocs.pm/elixir/String.html#contains?/2
So if the
required_rolevariable was set to"", the person would magically have admin access because theString.contains?/2check would betrue!! 🤦 i.e. trivial https://en.wikipedia.org/wiki/Privilege_escalationTo get around this, we could use
atoms:Which consume memory for each role name, but it also makes it safe.
But since atoms cannot be "empty", we mitigate the empty string attack.
How about we accept both
StringandAtomfor flexibility but have an immediatefalseif theStringis empty?What other security checks do we need to perform on this "potentially malicious" data?
Todo
personhas a givenroleelse?The text was updated successfully, but these errors were encountered: