View Source Credo.Check.Warning.UnsafeExec (Credo v1.7.8)

Basics

This check is enabled by default.

Learn how to disable it via .credo.exs.

This check has a base priority of high and works with any version of Elixir.

Explanation

Spawning external commands can lead to command injection vulnerabilities.

Use a safe API where arguments are passed as an explicit list, rather than unsafe APIs that run a shell to parse the arguments from a single string.

Safe APIs include:

  • System.cmd/2,3
  • :erlang.open_port/2, passing {:spawn_executable, file_name} as the first parameter, and any arguments using the :args option

Unsafe APIs include:

Check-Specific Parameters

There are no specific parameters for this check.

General Parameters

Like with all checks, general params can be applied.

Parameters can be configured via the .credo.exs config file.