| ▲ | aposm 6 days ago |
| Oops..... we are currently trying to sell an elixir-based greenfield project internally. This doesn't affect elixir by default as other commenters pointed out, but still might make our project a bit harder to pitch to management... |
|
| ▲ | jerf 6 days ago | parent | next [-] |
| If your organization is looking for "the language ecosystem that never has any security vulnerabilities", pack it in and close up shop because you're not going to find one. How many, how often, and how they are handled is far more important. While the Erlang/Elixir ecosystem won't stop you from writing a network server that takes in a string and just blithely passes it along to a shell without analysis, overall the Erlang/Elixir ecosystem is very strong and lacks most of the footguns like an "eval" statement that get people. Though I will ding it a point for the most obvious way to run a shell command [1] taking just a string that goes to a shell rather than an array of parameters to a shell command. It is on the higher end of secure languages to write a network server in. |
| |
| ▲ | toast0 6 days ago | parent | next [-] | | > overall the Erlang/Elixir ecosystem is very strong and lacks most of the footguns like an "eval" statement that get people Erlang has erl_eval [1] if you're looking for more ability to shoot yourself in the foot. You can call that from Elixir, but I guess that'd be weird; I'm not an Elixir person, but I'd bet you can shoot yourself in the foot if you try! There's always fun with dist and proc_lib:spawn(Node, Fun) [2], which you can put in a list comprehension with erlang:nodes() [3] if you want to shot yourself in many feet rapidly ;) [1] https://www.erlang.org/doc/apps/stdlib/erl_eval.html [2] https://www.erlang.org/doc/apps/stdlib/proc_lib.html#spawn/2 [3] https://www.erlang.org/doc/apps/erts/erlang.html#nodes/0 | | |
| ▲ | keepamovin 5 days ago | parent [-] | | All this foot shooting - this is the problem with permissive gun laws. We should ideally lock down all firearms to prevent any civilian doing harm. Only the select few government agents should own firearms. obligatory /S (for internet) also: 2 months ago I posted this Erlang SSH SFTP flaw - https://news.ycombinator.com/item?id=43126360 |
| |
| ▲ | __jonas 5 days ago | parent | prev | next [-] | | There absolutely is an eval function in the Elixir standard library: https://hexdocs.pm/elixir/1.18.3/Code.html#eval_string/3 | |
| ▲ | joshribakoff 6 days ago | parent | prev | next [-] | | I’ve seen more horrendous code using macros in elixir even despite by brief foray than I have seen ever in decades of working in languages with eval. Like using them when normal functions would suffice. | | |
| ▲ | josevalim 5 days ago | parent [-] | | Using macros when a function would do is a legit anti-pattern (and documented as such [1]) but unrelated to the security aspect as they are compile-time constructs. The reason they were added to the language was precisely so meta and dynamic programming is done at compile time, which you can introspect before you deploy, versus doing it at runtime, which is how most dynamic languages tackle this. And those languages are most likely not using eval either, but intrinsic features that allow you to define classes, attributes, methods, and so on programmatically. I’d say eval is discouraged in most languages, although it is useful for building things like REPLs and interactive environments. [1]: https://hexdocs.pm/elixir/macro-anti-patterns.html#unnecessa... |
| |
| ▲ | MisterTea 6 days ago | parent | prev | next [-] | | > most obvious way to run a shell command [1] I think you forgot a link to your [1] reference. | |
| ▲ | Hikikomori 6 days ago | parent | prev [-] | | Just create your own. |
|
|
| ▲ | rramadass 5 days ago | parent | prev | next [-] |
| That is quite the wrong way of looking at it. The vulnerability is in a implementation of SSH and not with the language/runtime itself; And it has already been patched. Erlang is a "managed" language and is quite secure compared to others. You should definitely "sell" Elixir/Erlang/BEAM based languages to your management for a greenfield project; The opportunity is too good to pass up. Nevertheless, if you would like to learn how to "harden" your Elixir/Erlang system, see the guidelines from the "Security Working Group" of EEF which i have linked to here - https://news.ycombinator.com/item?id=43717633 |
|
| ▲ | victorbjorklund 6 days ago | parent | prev [-] |
| Honestly, no language is totally safe. |
