security improvement

lib/ex_json_parser_web/live/home_live.ex

@@ -31,10 +31,7 @@ defmodule ExJsonParserWeb.HomeLive do
     end
   end
 
-  defp format_json(
-         %{"json" => new_json, "elixir_map" => new_elixir_map},
-         %{assigns: %{json: prev_json, elixir_map: prev_elixir_map}} = socket
-       ) do
+  defp format_json(%{"json" => new_json}, %{assigns: %{json: prev_json}} = socket) do
     cond do
       new_json != prev_json ->
         with {:ok, new_elixir_map} <- Jason.decode(new_json) do
@@ -45,19 +42,6 @@ defmodule ExJsonParserWeb.HomeLive do
            |> assign(elixir_map: inspect(new_elixir_map))}
         end
 
-      new_elixir_map != prev_elixir_map ->
-        with {:ok, {:%{}, _, _}} <- Code.string_to_quoted(new_elixir_map),
-             {new_elixir_map, []} <- Code.eval_string(new_elixir_map),
-             {:ok, new_json} <- Jason.encode(new_elixir_map, pretty: true) do
-          {:ok,
-           socket
-           |> assign(json: new_json)
-           |> assign(error: nil)
-           |> assign(elixir_map: inspect(new_elixir_map))}
-        else
-          _ -> {:error, "Error when decoding Json to Elixir Map"}
-        end
-
       true ->
         {:ok, socket}
     end

lib/ex_json_parser_web/live/home_live.html.heex

@@ -52,7 +52,7 @@
     <div class="col-span-4">
       <span class="block sm:inline">Elixir map</span>
       <pre class="whitespace-pre-wrap h-96">
-        <textarea name="elixir_map" class="resize rounded-md w-full h-full"><%= @elixir_map %></textarea>
+        <textarea name="elixir_map" readonly class="resize rounded-md w-full h-full bg-gray-100 cursor-not-allowed"><%= @elixir_map %></textarea>
       </pre>
       <button phx-hook="CopyToClipboard" id="elixir-map-copy-to-clipboard" class="mt-8 w-full bg-indigo-600 hover:bg-indigo-800 text-white font-bold py-2 px-4 rounded-full">
         Copy to Clipboard

test/ex_json_parser_web/live/home_live_test.exs

@@ -30,30 +30,20 @@ defmodule ExJsonParserWeb.HomeLiveTest do
     end
   end
 
-  describe "testing the elixir map to json submit" do
-    test "should transform to elixir map because json is right", %{conn: conn} do
+  describe "security around user input handling" do
+    test "should ignore elixir_map input changes to prevent code execution", %{conn: conn} do
       {:ok, view, _html} = live(conn, "/")
 
-      assert view
-             |> element("form")
-             |> render_submit(%{"json" => ~s({"ok": "test"})}) =~
-               ~s(%{"ok" => "test"})
-    end
+      malicious_input = ~s(%{"ok" => System.cmd("touch", ["/tmp/evil"])})
 
-    test "should not have an Error because json is right", %{conn: conn} do
-      {:ok, view, _html} = live(conn, "/")
+      html =
+        view
+        |> element("form")
+        |> render_submit(%{"json" => "", "elixir_map" => malicious_input})
 
-      refute view
-             |> element("form")
-             |> render_submit(%{"json" => ~s({"ok": "test"})}) =~ "Error"
-    end
-
-    test "should return an error because json is wrong", %{conn: conn} do
-      {:ok, view, _html} = live(conn, "/")
-
-      assert view
-             |> element("form")
-             |> render_submit(%{"json" => ~s({"ok" "test"})}) =~ "Error"
+      refute html =~ ~s(%{"ok" => "test"})
+      refute html =~ malicious_input
+      refute html =~ "Error"
     end
   end
 end