Possible DoS in Phoenix app / is it necessary to further sanitize user input?

2
votes

In theory it could be possible to take down a Phoenix / Elixir app by creating too many atoms in memory. Since atoms are not garbage collected, this could lead to a memory overflow. I could imagine that it could be possible for an attacker to use User Input (like through a form / REST API) to create an arbitrary amount of atoms, high enough to crash the app.

Of course Phoenix seems to already do a quite good job. So if I post this to a test app:

POST /api/ddos HTTP/1.1
Host: localhost:4000
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded

key=value

And process it with a simple controller:

def ddos(conn, params) do
    IO.puts(inspect(params))
    conn
    |> put_status(200)
    |> json  params
end

The result in iex is 

%{"key" => "value"}

Are there any more precautions I have to take to prevent such an attack?

1
securityelixirphoenix-framework

1 Answers

9
votes

The reason the keys in params are strings and not atoms is to avoid creating atoms based on user input.

You will find the same in the decode function of poison, HTTP headers.

There are no precautions you have to take, the user input for keys is always treated as a string and not an atom. If you find that this is not the case then it is almost certainly a bug.

If you do need to dynamically create an atom then you should use String.to_existing_atom/1 instead of String.to_atom/1.