ex_utils -> atomize_keys -> String.to_atom
barrieloydall opened this issue · comments
Hi there, I noticed ex_utils public util atomize_keys uses String.to_atom
and is masking that vulnerability.
We use sobelow to scan our own code, which would catch String.to_atom
, but would not warn about ex_utils
and atomize_keys
Not specifically a security concern itself or necessarily something i think should be a elixir-security-advisories
, but a bit of a gap between a tool like sobelow flagging any usage of String.to_atom
and a dependency util offering the same function, but packaged a little differently and not being flagged.
And I'm not entirely sure how we would introduce a check for the use of atomize_keys
It would be useful to be warned about ex_utils if implemented in a project, let me know if you have any suggestions.
thanks