Credo.Check.Warning.UnsafeExec (Credo v1.5.0) View Source

This check has a base priority of high and works with any version of Elixir.

Explanation

Spawning external commands can lead to command injection vulnerabilities.

Use a safe API where arguments are passed as an explicit list, rather than unsafe APIs that run a shell to parse the arguments from a single string.

Safe APIs include:

• System.cmd/2,3
• :erlang.open_port/2, passing {:spawn_executable, file_name} as the first parameter, and any arguments using the :args option

Unsafe APIs include:

• :os.cmd/1,2
• :erlang.open_port/2, passing {:spawn, command} as the first parameter

Configuration parameters

There are no specific parameters for this check.

Like with all checks, general params can be applied.

Parameters can be configured via the .credo.exs config file.