nccgroup / sobelow

Security-focused static analysis for the Phoenix Framework
Apache License 2.0
1.69k stars 95 forks source link

sobelow does not analyse `sigil_H` #160

Open marcandre opened 7 months ago

marcandre commented 7 months ago

While sobelow analyses .heex templates, it seems it ignores completely HEEX templates using ~H"...".

For some tests, in particular XSS, this is a critical issue.

houllette commented 7 months ago

Interesting! Thanks for the find - I'll need to dig a bit deeper into this feature add, because existing .heex support like you linked is all based around reading entire template files and not strings within .ex files. Therefore it wouldn't be simply a matter of adjusting the existing rule, but more than likely creating a brand new rule or revamping the existing one to also consider .ex files with ~H"...".

To be honest, I'm also not sure Sobelow currently identifies / pulls out sigils in any sort of way - so I would need to look into that before confirming how difficult an adjustment this is. But this is still a great callout to improve detections!