search

nccgroup / sobelow

Security-focused static analysis for the Phoenix Framework
Apache License 2.0
1.66k stars 92 forks source link

Crash when attempting to normalize_path #103

Closed aham3r closed 1 year ago

aham3r commented 2 years ago

I have used Sobelow before without issue (many thanks for all the work that is being done here).

On a new installation of Elixir/Erlang and creation of project using Phoenix Framework Sobelow crashes when run as a standalone script or as a dependency to my project. I suspect it may be Windows related. Upon review of the code I didn't see any recent changes to any code I reviewed. I also did a quick check of the Sobelow history for recent changes, but nothing stood out as a cause.

Environment Windows 10 Phoenix 1.6.2 Elixir 1.12.3 Erlang/OTP 22 [erts-10.7] Sobelow (0.8)*

*I tried other versions of Sobelow including the latest tag 0.10, I found it interesting that the logs say 0.11.1. I care about the release tags than what is printed, but I didn't know where v0.11.1 what it is trying to express and don't want it to cause confusion. Please let me know if I need to clarify.

Details $ mix sobelow -r apps/myapp_web

##############################################
#                                            #
#          Running Sobelow - v0.11.1         #
#  Created by Griffin Byatt - @griffinbyatt  #
#     NCC Group - https://nccgroup.trust     #
#                                            #
##############################################

** (FunctionClauseError) no function clause matching in Path.absname_vr/3

    The following arguments were given to Path.absname_vr/3:

        # 1
        ["/", "lib", "myapp_web", "router.ex"]

        # 2
        []

        # 3
        ""

    Attempted function clauses (showing 3 out of 3):

        defp absname_vr(+["/" | rest]+, -[volume | _]-, +_relative+)     
        defp absname_vr(-[<<x, 58>> | rest]-, -[<<x, _::binary()>> | _]-, +relative+)
        defp absname_vr(-[<<x, 58>> | name]-, +_+, +_relative+)

    (elixir 1.12.3) lib/path.ex:81: Path.absname_vr/3
    (elixir 1.12.3) lib/path.ex:190: Path.expand/2
    lib/sobelow/utils.ex:24: Sobelow.Utils.normalize_path/1
    lib/sobelow/finding.ex:51: Sobelow.Finding.fingerprint/1
    lib/sobelow/finding.ex:43: Sobelow.Finding.fetch_fingerprint/1       
    lib/sobelow/config/csp.ex:117: Sobelow.Config.CSP.add_finding/1

    (elixir 1.12.3) lib/enum.ex:930: Enum."-each/2-lists^foreach/1-0-"/2 
    lib/sobelow.ex:94: Sobelow.run/0

$ cd apps/myapp_web/;mix sobelow

##############################################
#                                            #
#          Running Sobelow - v0.11.1         #
#  Created by Griffin Byatt - @griffinbyatt  #
#     NCC Group - https://nccgroup.trust     #
#                                            #
##############################################

←[31mConfig.CSP: Missing Content-Security-Policy - High Confidence←[0m
File: c:/lib/myapp_web/router.ex
Pipeline: browser
Line: 12

-----------------------------------------------

** (FunctionClauseError) no function clause matching in Path.absname_vr/3

    The following arguments were given to Path.absname_vr/3:

        # 1
        ["/", "templates", "page", "index.html.eex"]

        # 2
        []

        # 3
        ""

    Attempted function clauses (showing 3 out of 3):

        defp absname_vr(+["/" | rest]+, -[volume | _]-, +_relative+)     
        defp absname_vr(-[<<x, 58>> | rest]-, -[<<x, _::binary()>> | _]-, +relative+)
        defp absname_vr(-[<<x, 58>> | name]-, +_+, +_relative+)

    (elixir 1.12.3) lib/path.ex:81: Path.absname_vr/3
    (elixir 1.12.3) lib/path.ex:190: Path.expand/2
    lib/sobelow/utils.ex:24: Sobelow.Utils.normalize_path/1
    lib/sobelow/xss/raw.ex:41: anonymous fn/8 in Sobelow.XSS.Raw.run/4   
    (elixir 1.12.3) lib/enum.ex:930: Enum."-each/2-lists^foreach/1-0-"/2 
    lib/sobelow.ex:99: Sobelow.run/0
    (mix 1.12.3) lib/mix/task.ex:394: anonymous fn/3 in Mix.Task.run_task/3
    (mix 1.12.3) lib/mix/cli.ex:84: Mix.CLI.run_task/2

I am not clear on reason for different files resulted in similar crashes, I decided to focus on the why the path associated with the file was incorrect. Based on my inspection was able to resolve by changing to a relative path instead of attempting to expand to an absolute path by updating Sobelow.Utils.normalized_path from

  def normalize_path(filename) do
    filename
    |> Path.expand("")
    |> String.replace_prefix("/", "")
  end

to

  def normalize_path(filename) do
    filename
    |> String.replace_prefix("/", "")
  end

$ cd ../..;mix deps.compile sobelow; mix sobelow -r apps/myapp_web

##############################################
#                                            #
#          Running Sobelow - v0.11.1         #
#  Created by Griffin Byatt - @griffinbyatt  #
#     NCC Group - https://nccgroup.trust     #
#                                            #
##############################################

←[31mConfig.CSP: Missing Content-Security-Policy - High Confidence←[0m
File: apps/myapp_web/lib/myapp_web/router.ex
Pipeline: browser
Line: 12

-----------------------------------------------

... SCAN COMPLETE ...

$ cd apps/myapp_web;mix sobelow

##############################################
#                                            #
#          Running Sobelow - v0.11.1         #
#  Created by Griffin Byatt - @griffinbyatt  #
#     NCC Group - https://nccgroup.trust     #
#                                            #
##############################################

←[31mConfig.CSP: Missing Content-Security-Policy - High Confidence←[0m
File: ./lib/myapp_web/router.ex
Pipeline: browser
Line: 12

-----------------------------------------------

... SCAN COMPLETE ...

I am hopeful that this is just a configuration problem on my current environment, but I am not clear as to what is wrong. Any guidance would be greatly appreciated.

houllette commented 1 year ago

Hey @aham3r, sorry for such a long delay! Are you still encountering this issue? Hopefully it just ended up being an environment issue!