# `Enviable.Credo.UnsafeEval`
[🔗](https://github.com/halostatue/enviable/blob/v2.3.0/lib/enviable/credo/unsafe_eval.ex#L5)

## Basics

> #### This check is disabled by default. {: .neutral}
>
> [Learn how to enable it](`e:credo:config_file.html#checks`) via `.credo.exs`.

This check has a base priority of `high` and works with any version of Elixir.

## Explanation

Evaluating Erlang or Elixir code from environment variables is unsafe as it
executes arbitrary code in the context of your application.

Enviable functions that evaluate code should not be used with untrusted input:

    # Unsafe - evaluates arbitrary Erlang code
    Enviable.get_env_as_erlang("VAR")
    Enviable.fetch_env_as_erlang!("VAR")

    # Unsafe - evaluates arbitrary Elixir code
    Enviable.get_env_as_elixir("VAR")
    Enviable.fetch_env_as_elixir!("VAR")

This also applies to generic conversion functions and encoded types:

    # Unsafe
    Enviable.get_env_as("VAR", :erlang)
    Enviable.get_env_as("VAR", {:base64, :elixir})
    Enviable.get_env_as_list("ITEMS", as: :erlang)

When using `import Enviable`, the check applies to bare function calls:

    import Enviable

    # Unsafe
    get_env_as_erlang("VAR")
    fetch_env_as_base64!("VAR", as: :elixir)

Consider using safer alternatives. If code evaluation is necessary, ensure the
environment variable source is completely trusted and controlled.

## Check-Specific Parameters

*There are no specific parameters for this check.*

## General Parameters

Like with all checks, [general params](`e:credo:check_params.html`) can be applied.

Parameters can be configured via the [`.credo.exs` config file](`e:credo:config_file.html`).

---

*Consult [api-reference.md](api-reference.md) for complete listing*