Closed jarrodldavis closed 4 years ago
Thanks for opening this issue! While you're waiting on a fix, you can use the --mark-skip-all flag to mark it as a false positive. You can find usage details here: https://sobelow.io/#v090
I added checks for the nil
and true
socket options cases, so this should no longer be incorrectly flagging LiveView's default socket configuration. The change is on master, so you can install and test with mix archive.install github nccgroup/sobelow
.
Let me know if that works for you, and I will publish to Hex.
Thanks again!
@GriffinMB I've tested the updated check and it works great!
Meant to close this, sorry for the delay. This is in the latest release! Thanks again.
When generating a Phoenix app with LiveView, the endpoint has this line of code:
Sobelow marks this as a potential for Cross-Site WebSocket Hijacking:
Curiously, this code for Phoenix Sockets (just above the
socket
declaration for LiveView) doesn't appear to be flagged at all:It appears the
Config.CSWH
only reports potential issues when thewebsocket
configuration is a keyword list, and even ignorescheck_origin: true
when explicitly set in that keyword list rather than implicitly from the endpoint configuration (such as fromconfig/config.exs
orconfig/dev.exs
):https://github.com/nccgroup/sobelow/blob/8634de7994a8ca175ea14b8d7be2ff884a677c60/lib/sobelow/config/cswh.ex#L37-L47
I know that Sobelow errs on the side of over-reporting (which is ultimately a good thing), but since only function declarations can be skipped (which isn't readily available in the endpoint file), it would be nice if the check at least took an explicit
check_origin: true
configuration into account. It would also be nice if the global endpoint configuration were taken into account, but I understand that's probably unreasonable since it would need to correlate state across multiple files.