This is an important thing to be aware of, but this is not unique to Elixir, and the article title does not mention Elixir specifically although the example shown is in Elixir. If you are not careful about your dependency chain, attacks like this could happen in any language. When you pull code in and run it in your app, you are trusting it as if you wrote it yourself.
With deno you need to manually specify if you want to permit internet access:
deno run --allow-net=xyz.com,abc.com
If you run without a domain, it allows access to all. Seems like it should be more explicit by default, perhaps there is a config option.
Speaking of config options, I wonder if there is a config option to prohibit access to domains like pastebin.org no matter what. Seems like an arms race that an attacker could circumvent, but maybe they won't bother and will only attack my dumber friends.
WebAssembly was designed to follow the same capability security principles. CHERI too as someone else just brought up.
Yet another newer capability system in progress -- I don't know what it can do today or if it tackles this particular problem but it sounds cool: https://spritelyproject.org/
WASM is great in that you can sandbox code and give it limited permissions to run. Actually I do hope wasm becomes more widespread as a base for app development, however, when importing library code into your own native code base, it's going to run with the same perms as that code base. Sandboxing a library would have the effect of making it probably slower and more annoying to interact with.
This isn't a language, but CHERI has hardware-enforced capabilities, so if your library was never given a pointer that (even transitively) has access to some secret, it's completely SOL as it's impossible to access any memory without the corresponding capability.
Don't programs runnign in iOS and perhaps Android (and macOS) have to put up modal dialogs requesting the person running the program for access to things it could screw up?
That's not nothing, but it's not a usable and flexible enough solution -- people end up giving far too coarse-grained authority because that's seemingly the only way that's easy.
Is there something about Elixir that makes this surprising? Otherwise, the insight that code that forms part of an application has access to the application state is not exactly very deep.
Plug: I've been building Packj [1] to detect dummy, malicious, abandoned, typo-squatting, and other "risky" packages. It carries out static/dynamic/metadata analysis and scans for 40+ attributes such as num funcs/files, spawning of shell, use of SSH keys, network communication, use of decode+eval, mismatch of GitHub code vs packaged code (provenance), change in APIs across versions, etc. to flag risky packages.
