Basics
This check is disabled by default.
Learn how to enable it via .credo.exs.
This check has a base priority of high and works with any version of Elixir.
Explanation
Evaluating Erlang or Elixir code from environment variables is unsafe as it executes arbitrary code in the context of your application.
Enviable functions that evaluate code should not be used with untrusted input:
# Unsafe - evaluates arbitrary Erlang code
Enviable.get_env_as_erlang("VAR")
Enviable.fetch_env_as_erlang!("VAR")
# Unsafe - evaluates arbitrary Elixir code
Enviable.get_env_as_elixir("VAR")
Enviable.fetch_env_as_elixir!("VAR")This also applies to generic conversion functions and encoded types:
# Unsafe
Enviable.get_env_as("VAR", :erlang)
Enviable.get_env_as("VAR", {:base64, :elixir})
Enviable.get_env_as_list("ITEMS", as: :erlang)When using import Enviable, the check applies to bare function calls:
import Enviable
# Unsafe
get_env_as_erlang("VAR")
fetch_env_as_base64!("VAR", as: :elixir)Consider using safer alternatives. If code evaluation is necessary, ensure the environment variable source is completely trusted and controlled.
Check-Specific Parameters
There are no specific parameters for this check.
General Parameters
Like with all checks, general params can be applied.
Parameters can be configured via the .credo.exs config file.