Directory Traversal incorrectly marks `send_download(_, {:binary, _}, filename: _` as unsafe due to keyword list arg

nccgroup / sobelow

Security-focused static analysis for the Phoenix Framework

Apache License 2.0

1.69k stars 95 forks source link

Directory Traversal incorrectly marks `send_download(_, {:binary, _}, filename: _` as unsafe due to keyword list arg #33

Closed tmecklem closed 6 years ago

tmecklem commented 6 years ago

Phoenix (at least version 1.3.0) requires the filename keyword list arg when specifying a :binary download. Sobelow incorrectly marks binary send_download calls with that required arguments as a vulnerability.

The Phoenix exception for send_download without a filename option is

** (RuntimeError) :filename option is required when sending binary download

but specifying filename triggers

Directory Traversal in `send_download` - Medium Confidence

tmecklem commented 6 years ago

PR forthcoming when I get home

GriffinMB commented 6 years ago

Thank you for the PR! I'll merge tonight, and push an update to hex.pm.