Use non_executable_binary_to_term on loopback pubsub

josevalim · josevalim · commit 35497755b571 · 2026-05-06T23:42:55.000+02:00
diff --git a/lib/mix/lib/mix/sync/pubsub.ex b/lib/mix/lib/mix/sync/pubsub.ex
@@ -263,7 +263,7 @@ defmodule Mix.Sync.PubSub do
 
   defp decode_data(binary) do
     try do
-      {:ok, :erlang.binary_to_term(binary)}
+      {:ok, Mix.Utils.non_executable_binary_to_term(binary)}
     rescue
       _error -> :error
     end
diff --git a/lib/mix/lib/mix/tasks/format.ex b/lib/mix/lib/mix/tasks/format.ex
@@ -499,7 +499,7 @@ defmodule Mix.Tasks.Format do
 
   defp read_manifest(manifest) do
     with {:ok, binary} <- File.read(manifest),
-         {:ok, {@manifest_vsn, entry, sources}} <- safe_binary_to_term(binary),
+         {:ok, {@manifest_vsn, entry, sources}} <- non_raising_binary_to_term(binary),
          expanded_sources = Enum.flat_map(sources, &Path.wildcard(&1, match_dot: true)),
          false <- Mix.Utils.stale?([Mix.Project.config_mtime() | expanded_sources], [manifest]) do
       {entry, sources}
@@ -508,7 +508,7 @@ defmodule Mix.Tasks.Format do
     end
   end
 
-  defp safe_binary_to_term(binary) do
+  defp non_raising_binary_to_term(binary) do
     {:ok, :erlang.binary_to_term(binary)}
   rescue
     _ -> :error
diff --git a/lib/mix/lib/mix/utils.ex b/lib/mix/lib/mix/utils.ex
@@ -11,6 +11,76 @@ defmodule Mix.Utils do
   # For bootstrapping purposes
   @compile {:no_warn_undefined, Logger}
 
+  @doc """
+  A restricted version of `:erlang.binary_to_term/2` that forbids
+  *executable* terms, such as anonymous functions.
+
+  The `opts` are given to the underlying `:erlang.binary_to_term/2`
+  call, with an empty list as a default.
+
+  By default this function does not restrict atoms, as an atom
+  interned in one node may not yet have been interned on another
+  (except for releases, which preload all code).
+
+  If you want to avoid atoms from being created, then you can pass
+  `[:safe]` as options, as that will also enable the safety mechanisms
+  from `:erlang.binary_to_term/2` itself.
+  """
+  @spec non_executable_binary_to_term(binary(), [atom()]) :: term()
+  def non_executable_binary_to_term(binary, opts \\ []) when is_binary(binary) do
+    term = :erlang.binary_to_term(binary, opts)
+    non_executable_terms(term)
+    term
+  end
+
+  defp non_executable_terms(list) when is_list(list) do
+    non_executable_list(list)
+  end
+
+  defp non_executable_terms(tuple) when is_tuple(tuple) do
+    non_executable_tuple(tuple, tuple_size(tuple))
+  end
+
+  defp non_executable_terms(map) when is_map(map) do
+    folder = fn key, value, acc ->
+      non_executable_terms(key)
+      non_executable_terms(value)
+      acc
+    end
+
+    :maps.fold(folder, map, map)
+  end
+
+  defp non_executable_terms(other)
+       when is_atom(other) or is_number(other) or is_bitstring(other) or is_pid(other) or
+              is_reference(other) do
+    other
+  end
+
+  defp non_executable_terms(other) do
+    raise ArgumentError,
+          "cannot deserialize #{inspect(other)}, the term is not safe for deserialization"
+  end
+
+  defp non_executable_list([]), do: :ok
+
+  defp non_executable_list([h | t]) when is_list(t) do
+    non_executable_terms(h)
+    non_executable_list(t)
+  end
+
+  defp non_executable_list([h | t]) do
+    non_executable_terms(h)
+    non_executable_terms(t)
+  end
+
+  defp non_executable_tuple(_tuple, 0), do: :ok
+
+  defp non_executable_tuple(tuple, n) do
+    non_executable_terms(:erlang.element(n, tuple))
+    non_executable_tuple(tuple, n - 1)
+  end
+
   @doc """
   Returns the apps of a project with no filtering.
 
diff --git a/lib/mix/test/mix/utils_test.exs b/lib/mix/test/mix/utils_test.exs
@@ -28,6 +28,24 @@ defmodule Mix.UtilsTest do
     end)
   end
 
+  test "non_executable_binary_to_term" do
+    value = %{1 => {:foo, ["bar", 2.0, %URI{}, [self() | make_ref()], <<0::4>>]}}
+    assert Mix.Utils.non_executable_binary_to_term(:erlang.term_to_binary(value)) == value
+
+    assert_raise ArgumentError, fn ->
+      Mix.Utils.non_executable_binary_to_term(
+        :erlang.term_to_binary(%{1 => {:foo, [fn -> :bar end]}})
+      )
+    end
+
+    assert_raise ArgumentError, fn ->
+      Mix.Utils.non_executable_binary_to_term(
+        <<131, 100, 0, 7, 103, 114, 105, 102, 102, 105, 110>>,
+        [:safe]
+      )
+    end
+  end
+
   test "command to module" do
     assert Mix.Utils.command_to_module("cheers", Mix.Tasks) == {:module, Mix.Tasks.Cheers}
     assert Mix.Utils.command_to_module("unknown", Mix.Tasks) == {:error, :nofile}
@@ -241,9 +259,7 @@ defmodule Mix.UtilsTest do
 
         assert File.read!("graph.dot") == """
                digraph "graph" {
-                 "foo 
-               bar\r
-               baz"
+                 "foo \nbar\r\nbaz"
                }
                """
       end)
