Hi there, I noticed ex_utils public util atomize_keys uses String.to_atom and is masking that vulnerability.
We use sobelow to scan our own code, which would catch String.to_atom, but would not warn about ex_utils and atomize_keys
Not specifically a security concern itself or necessarily something i think should be a elixir-security-advisories, but a bit of a gap between a tool like sobelow flagging any usage of String.to_atom and a dependency util offering the same function, but packaged a little differently and not being flagged.
And I'm not entirely sure how we would introduce a check for the use of atomize_keys
It would be useful to be warned about ex_utils if implemented in a project, let me know if you have any suggestions.
Hi there, I noticed ex_utils public util atomize_keys uses
String.to_atomand is masking that vulnerability.We use sobelow to scan our own code, which would catch
String.to_atom, but would not warn aboutex_utilsandatomize_keysNot specifically a security concern itself or necessarily something i think should be a
elixir-security-advisories, but a bit of a gap between a tool like sobelow flagging any usage ofString.to_atomand a dependency util offering the same function, but packaged a little differently and not being flagged.And I'm not entirely sure how we would introduce a check for the use of
atomize_keysIt would be useful to be warned about ex_utils if implemented in a project, let me know if you have any suggestions.
thanks