Closed jarrodldavis closed 4 years ago
GriffinMB
commented
4 years ago Thanks for opening this issue! While you're waiting on a fix, you can use the --mark-skip-all flag to mark it as a false positive. You can find usage details here: https://sobelow.io/#v090
GriffinMB
commented
4 years ago I added checks for the nil and true socket options cases, so this should no longer be incorrectly flagging LiveView's default socket configuration. The change is on master, so you can install and test with mix archive.install github nccgroup/sobelow.
Let me know if that works for you, and I will publish to Hex.
Thanks again!
jarrodldavis
commented
4 years ago @GriffinMB I've tested the updated check and it works great!
GriffinMB
commented
4 years ago Meant to close this, sorry for the delay. This is in the latest release! Thanks again.
When generating a Phoenix app with LiveView, the endpoint has this line of code:
Sobelow marks this as a potential for Cross-Site WebSocket Hijacking:
Curiously, this code for Phoenix Sockets (just above the
socketdeclaration for LiveView) doesn't appear to be flagged at all:It appears the
Config.CSWHonly reports potential issues when thewebsocketconfiguration is a keyword list, and even ignorescheck_origin: truewhen explicitly set in that keyword list rather than implicitly from the endpoint configuration (such as fromconfig/config.exsorconfig/dev.exs):https://github.com/nccgroup/sobelow/blob/8634de7994a8ca175ea14b8d7be2ff884a677c60/lib/sobelow/config/cswh.ex#L37-L47
I know that Sobelow errs on the side of over-reporting (which is ultimately a good thing), but since only function declarations can be skipped (which isn't readily available in the endpoint file), it would be nice if the check at least took an explicit
check_origin: trueconfiguration into account. It would also be nice if the global endpoint configuration were taken into account, but I understand that's probably unreasonable since it would need to correlate state across multiple files.