From 7b91367145ac4795c8bf0cfcb1684fb07028201b Mon Sep 17 00:00:00 2001 From: Thomas Citharel Date: Fri, 22 Jan 2021 19:11:13 +0100 Subject: [PATCH] Some sobelow fixes Signed-off-by: Thomas Citharel --- .sobelow-conf | 10 +++++----- .sobelow-skips | 2 ++ lib/mobilizon.ex | 3 ++- lib/mobilizon/discussions/discussions.ex | 1 + lib/mobilizon/resources/resources.ex | 1 + lib/web/auth/error_handler.ex | 1 + lib/web/proxy/reverse_proxy.ex | 2 ++ lib/web/router.ex | 4 ++-- lib/web/views/utils.ex | 1 + 9 files changed, 17 insertions(+), 8 deletions(-) create mode 100644 .sobelow-skips diff --git a/.sobelow-conf b/.sobelow-conf index 207a0df18..06cca8933 100644 --- a/.sobelow-conf +++ b/.sobelow-conf @@ -2,11 +2,11 @@ verbose: true, private: false, skip: true, - router: "", - exit: "false", + router: "lib/web/router.ex", + exit: "low", format: "txt", out: "", - threshold: "low", - ignore: ["Config.Secrets", "XSS", "Config.HTTPS"], - ignore_files: [""] + threshold: "medium", + ignore: ["Config.HTTPS"], + ignore_files: ["config/dev.1.secret.exs", "config/dev.2.secret.exs", "config/dev.3.secret.exs", "config/dev.secret.exs", "config/e2e.secret.exs", "config/prod.secret.exs", "config/test.secret.exs"] ] diff --git a/.sobelow-skips b/.sobelow-skips new file mode 100644 index 000000000..8a0f398e7 --- /dev/null +++ b/.sobelow-skips @@ -0,0 +1,2 @@ + +AACA51671C4B3C803ACBCA3FADE84CDE \ No newline at end of file diff --git a/lib/mobilizon.ex b/lib/mobilizon.ex index b4e581399..a1ca09962 100644 --- a/lib/mobilizon.ex +++ b/lib/mobilizon.ex @@ -76,10 +76,11 @@ defmodule Mobilizon do :ok end + # sobelow_skip ["DOS.StringToAtom"] @spec cachex_spec(atom, integer, integer, integer, function | nil) :: Supervisor.child_spec() defp cachex_spec(name, limit, default, interval, fallback \\ nil) do %{ - id: :"cache_#{name}", + id: String.to_atom("cache_#{to_string(name)}"), start: {Cachex, :start_link, [ diff --git a/lib/mobilizon/discussions/discussions.ex b/lib/mobilizon/discussions/discussions.ex index 9ecddffc0..35d3b47dd 100644 --- a/lib/mobilizon/discussions/discussions.ex +++ b/lib/mobilizon/discussions/discussions.ex @@ -58,6 +58,7 @@ defmodule Mobilizon.Discussions do @doc """ Callback for Absinthe Ecto Dataloader """ + # sobelow_skip ["SQL.Query"] @spec data :: Dataloader.Ecto.t() def data do Dataloader.Ecto.new(Repo, query: &query/2) diff --git a/lib/mobilizon/resources/resources.ex b/lib/mobilizon/resources/resources.ex index 23f15046c..b4cb43ae2 100644 --- a/lib/mobilizon/resources/resources.ex +++ b/lib/mobilizon/resources/resources.ex @@ -185,6 +185,7 @@ defmodule Mobilizon.Resources do end) end + # sobelow_skip ["SQL.Query"] @spec update_children(Multi.t(), Resource.t(), map()) :: Multi.t() defp update_children( %Multi{} = multi, diff --git a/lib/web/auth/error_handler.ex b/lib/web/auth/error_handler.ex index 6207477d6..edf760bb8 100644 --- a/lib/web/auth/error_handler.ex +++ b/lib/web/auth/error_handler.ex @@ -4,6 +4,7 @@ defmodule Mobilizon.Web.Auth.ErrorHandler do """ import Plug.Conn + # sobelow_skip ["XSS.SendResp"] def auth_error(conn, {type, _reason}, _opts) do body = Jason.encode!(%{message: to_string(type)}) send_resp(conn, 401, body) diff --git a/lib/web/proxy/reverse_proxy.ex b/lib/web/proxy/reverse_proxy.ex index 121e6a277..c3e5993f0 100644 --- a/lib/web/proxy/reverse_proxy.ex +++ b/lib/web/proxy/reverse_proxy.ex @@ -145,6 +145,7 @@ defmodule Mobilizon.Web.ReverseProxy do end end + # sobelow_skip ["XSS.SendResp"] def call(conn, _, _) do conn |> send_resp(400, Conn.Status.reason_phrase(400)) @@ -223,6 +224,7 @@ defmodule Mobilizon.Web.ReverseProxy do |> send_resp(code, "") end + # sobelow_skip ["XSS.SendResp"] defp error_or_redirect(conn, url, code, body, opts) do if Keyword.get(opts, :redirect_on_failure, false) do conn diff --git a/lib/web/router.ex b/lib/web/router.ex index b8aa2690e..75aaa638d 100644 --- a/lib/web/router.ex +++ b/lib/web/router.ex @@ -163,8 +163,8 @@ defmodule Mobilizon.Web.Router do get("/interact", PageController, :interact) get("/auth/:provider", AuthController, :request) - # sobelow_skip ["Config.CSRFRoute"] - # Possibly related to https://github.com/ueberauth/ueberauth/issues/125 + # Have a look at https://github.com/ueberauth/ueberauth/issues/125 some day + # Also possible CSRF issue get("/auth/:provider/callback", AuthController, :callback) post("/auth/:provider/callback", AuthController, :callback) end diff --git a/lib/web/views/utils.ex b/lib/web/views/utils.ex index 34eaa45c4..f1fba1796 100644 --- a/lib/web/views/utils.ex +++ b/lib/web/views/utils.ex @@ -5,6 +5,7 @@ defmodule Mobilizon.Web.Views.Utils do alias Mobilizon.Service.Metadata.Utils, as: MetadataUtils + # sobelow_skip ["Traversal.FileModule"] @spec inject_tags(Enum.t(), String.t()) :: {:safe, String.t()} def inject_tags(tags, locale \\ "en") do with {:ok, index_content} <- File.read(index_file_path()) do