Description
Atoms are not garbage-collected, which can lead to memory exhaustion if many unique atoms are created dynamically.
It poses a security risk, as an attacker could exploit this to crash the application via a denial-of-service (DoS) attack.
To mitigate this, we should enforce safer practices in the template and educate developers on the risks and alternatives. The String.to_atom/1 function can lead to atom DoS vulnerabilities when used with untrusted or dynamic input, as atoms are not garbage-collected and can exhaust the BEAM's atom table.
For more information, see the Paraxial.io blog: Atom DoS: Exploiting the BEAM's Atom Table.
Tasks
Description
Atoms are not garbage-collected, which can lead to memory exhaustion if many unique atoms are created dynamically.
It poses a security risk, as an attacker could exploit this to crash the application via a denial-of-service (DoS) attack.
To mitigate this, we should enforce safer practices in the template and educate developers on the risks and alternatives. The
String.to_atom/1function can lead to atom DoS vulnerabilities when used with untrusted or dynamic input, as atoms are not garbage-collected and can exhaust the BEAM's atom table.For more information, see the Paraxial.io blog: Atom DoS: Exploiting the BEAM's Atom Table.
Tasks
String.to_atom/1.String.to_atom/1String.to_existing_atom/1instead ofString.to_atom/1.