search

nccgroup / sobelow

Security-focused static analysis for the Phoenix Framework
Apache License 2.0
1.67k stars 92 forks source link

Error when analysing pipeline #53

Closed gabrielpra1 closed 4 years ago

gabrielpra1 commented 4 years ago

When I run mix sobelow (version 0.9.1) in my Phoenix application (version 1.4.9), I get the following error:

** (FunctionClauseError) no function clause matching in Sobelow.Config.is_vuln_pipeline?/2

    The following arguments were given to Sobelow.Config.is_vuln_pipeline?/2:

        # 1
        {:pipeline, [line: 78], [{:config, [line: 78], nil}, {:pipeline_opts, [line: 78], nil}]}

        # 2
        :csrf

    Attempted function clauses (showing 2 out of 2):

        def is_vuln_pipeline?({:pipeline, _, [_name, [do: block]]}, :csrf)
        def is_vuln_pipeline?({:pipeline, _, [_name, [do: block]]}, :headers)

    lib/sobelow/config.ex:93: Sobelow.Config.is_vuln_pipeline?/2
    (elixir) lib/stream.ex:481: anonymous fn/4 in Stream.filter/2
    (elixir) lib/enum.ex:3325: Enumerable.List.reduce/3
    (elixir) lib/stream.ex:1583: Enumerable.Stream.do_each/4
    (elixir) lib/enum.ex:3023: Enum.each/2
    (elixir) lib/enum.ex:783: Enum."-each/2-lists^foreach/1-0-"/2
    (elixir) lib/enum.ex:783: Enum.each/2
    (elixir) lib/enum.ex:783: Enum."-each/2-lists^foreach/1-0-"/2

This is the relevant part in my router.ex file:

  scope "/" do
    pipe_through :graphql

    forward "/graphiql",
      Absinthe.Plug.GraphiQL,
      schema: AppWeb.Schema,
      analyze_complexity: true,
      max_complexity: @max_complexity,
      interface: :playground,
      pipeline: {__MODULE__, :pipeline}

    forward "/graphql",
      Absinthe.Plug,
      schema: AppWeb.Schema,
      analyze_complexity: true,
      max_complexity: @max_complexity,
      pipeline: {__MODULE__, :pipeline}
  end

  def pipeline(config, pipeline_opts) do
    config
    |> Map.fetch!(:schema_mod)
    |> Pipeline.for_document(pipeline_opts)
    |> Pipeline.insert_after(Resolution, ObjectScopeAuthorization)
  end

The problem is that I have this def pipeline defined, and Sobelow does not expect any other function defined, I guess, since when I remove that function it works fine.

GriffinMB commented 4 years ago

Thanks for opening this issue! A fix for this will be released this weekend.

gabrielpra1 commented 4 years ago

Thank you!

GriffinMB commented 4 years ago

The fix for this issue is on master, along with an updated test case. You can install with mix archive.install github nccgroup/sobelow. Let me know if you run into any problems, otherwise I will aim to publish the update to hex.pm on Sunday.

Thanks again!

gabrielpra1 commented 4 years ago

The version on master is now working fine, thanks!