April 04, 2023

Ensuring Security when Handling Zip Files in Phoenix Applications

clicks

Source: fly.io

Mark Ericksen discusses the safety of using the Erlang :zip module in Phoenix applications by examining potential security risks associated with zip files. The post delves into two specific types of attacks: Path Traversal attacks and Zip Bomb attacks. The Path Traversal attack allows attackers to access files outside the application directory by manipulating file paths, potentially overwriting system or application files. The Zip Bomb attack involves creating zip files that, when unarchived, can consume an immense amount of resources, leading to a denial-of-service situation. Ericksen explains through experiments that while the :zip.extract function in Elixir's OTP library prevents archiving to the system root, application root is still at risk if precautions are not taken. The use of the :cwd option in :zip.extract allows developers to control the extraction location, ensuring files are contained within it. Additionally, early detection of illegal paths in zipped directories can prevent extraction altogether. Despite these safeguards, :zip.extract is still vulnerable to Zip Bomb attacks, and antivirus software may not detect all potential threats. To enhance security when accepting zip files from users, antivirus checks, setting a secured working directory during extraction, and isolating extractions in a sandboxed environment are recommended. Ericksen concludes that Phoenix applications can indeed safely use the :zip module, provided these extra precautions are implemented.

Implementing Ctrl+Enter Submission in LiveView Text Areas

Berenice Medel discusses how to utilize hooks and a few lines of JavaScript to enable users to submit a form by hitting Ctrl+Enter within a text area. The solution involves defining a hook that listens for the keydown event and triggers the form's submit event when the specified key combination is pressed.

Jun 20, 2023

Exploring Elixir's List Comprehensions Capabilities

Jason Stiebs explains the benefits of using Elixir's list comprehension, a powerful alternative to for loops. He shows examples of how list comprehensions can be used for filtering, mapping, and accumulating data, and also explores recursion in Elixir.

Jun 26, 2023

The High Quality of Elixir Documentation

Jason Stiebs explains that the documentation for the Elixir programming language is comprehensive and easy to navigate, providing extensive discussion, guides, examples, and doctests. He also highlights the usefulness of Hex, a resource for Elixir developers that offers online hosted docs, code diffs, and a list of packages that depend on a library.

Jul 06, 2023