elixir-security-review
14
总安装量
5
周安装量
#23852
全站排名
安装命令
npx skills add https://github.com/existential-birds/beagle --skill elixir-security-review
Agent 安装分布
github-copilot
4
codex
4
gemini-cli
4
replit
3
claude-code
3
Skill 文档
Elixir Security Review
Quick Reference
| Issue Type | Reference |
|---|---|
| Code.eval_string, binary_to_term | references/code-injection.md |
| String.to_atom dangers | references/atom-exhaustion.md |
| Config, environment variables | references/secrets.md |
| ETS visibility, process dictionary | references/process-exposure.md |
Review Checklist
Critical (Block Merge)
- No
Code.eval_string/1on user input - No
:erlang.binary_to_term/1without:safeon untrusted data - No
String.to_atom/1on external input - No hardcoded secrets in source code
Major
- ETS tables use appropriate access controls
- No sensitive data in process dictionary
- No dynamic module creation from user input
- Path traversal prevented in file operations
Configuration
- Secrets loaded from environment
- No secrets in config/*.exs committed to git
- Runtime config used for deployment secrets
Valid Patterns (Do NOT Flag)
- String.to_atom on compile-time constants – Atoms created at compile time are safe
- Code.eval_string in dev/test – May be needed for tooling
- ETS :public tables – Valid when intentionally shared
- binary_to_term with :safe – Explicitly safe option used
Context-Sensitive Rules
| Issue | Flag ONLY IF |
|---|---|
| String.to_atom | Input comes from external source (user, API, file) |
| binary_to_term | Data comes from untrusted source |
| ETS :public | Contains sensitive data |
Before Submitting Findings
Use the issue format: [FILE:LINE] ISSUE_TITLE for each finding.
Load and follow review-verification-protocol before reporting any issue.