Potential atom exhaustion

[abc3]

Parsing untrusted input with Code.string_to_quoted!/1 can create new atoms for identifiers, literal atoms, and keyword keys.
Since atoms are not garbage-collected in the BEAM, an attacker can send input that generates many unique atoms, eventually exhausting the atom table and crashing the VM.

Solution:
Use existing_atoms_only: true and/or a strict static_atoms_encoder to reject or whitelist allowed atoms.

[hauleth]

This will require custom parser AFAIK as Code.string_to_quoted!/1 do not have a way to disallow atom creation. This will also make it hard to write code, as variables or function names require atoms in Elixir parser.