Packages
sobelow
0.10.5
0.14.1
0.14.0
0.13.0
0.12.2
0.12.1
0.12.0
0.11.1
0.11.0
0.10.6
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.0
0.7.8
0.7.7
0.7.6
0.7.5
0.7.4
0.7.3
0.7.2
0.7.1
0.7.0
0.6.9
0.6.8
0.6.7
0.6.6
0.6.5
0.6.4
0.6.3
0.6.2
0.6.1
0.6.0
0.5.4
0.5.3
0.5.2
0.5.1
0.5.0
0.4.9
0.4.8
0.4.7
0.4.6
0.4.5
0.4.4
0.4.3
0.4.2
0.4.1
0.4.0
0.3.12
0.3.11
0.3.10
0.3.9
0.3.8
0.3.7
0.3.6
0.3.5
0.3.4
0.3.3
0.3.2
0.3.1
0.3.0
0.2.8
0.2.7
0.2.6
0.2.5
0.2.4
0.2.3
Security-focused static analysis for Elixir & the Phoenix framework
Current section
Files
Jump to
Current section
Files
lib/sobelow/config/hsts.ex
defmodule Sobelow.Config.HSTS do
@moduledoc """
# HSTS
The HTTP Strict Transport Security (HSTS) header helps
defend against man-in-the-middle attacks by preventing
unencrypted connections.
HSTS checks can be ignored with the following command:
$ mix sobelow -i Config.HSTS
"""
alias Sobelow.Config
use Sobelow.Finding
@finding_type "Config.HSTS: HSTS Not Enabled"
def run(dir_path, configs) do
Enum.each(configs, fn conf ->
path = dir_path <> conf
Config.get_configs_by_file(:https, path)
|> handle_https(path)
end)
end
defp handle_https(opts, file) do
# If HTTPS configs were found in any config file and there
# are no accompanying HSTS configs, add an HSTS finding.
if length(opts) > 0 && length(Config.get_configs(:force_ssl, file)) === 0 do
add_finding(file)
end
end
defp add_finding(file) do
reason = "HSTS configuration details could not be found in `#{Path.basename(file)}`."
finding =
%Finding{
type: @finding_type,
filename: Utils.normalize_path(file),
fun_source: nil,
vuln_source: reason,
vuln_line_no: 0,
confidence: :medium
}
|> Finding.fetch_fingerprint()
case Sobelow.format() do
"json" ->
json_finding = [
type: finding.type,
file: finding.filename,
line: finding.vuln_line_no
]
Sobelow.log_finding(json_finding, finding)
"txt" ->
Sobelow.log_finding(finding)
Print.print_custom_finding_metadata(finding, [])
"compact" ->
Print.log_compact_finding(finding)
_ ->
Sobelow.log_finding(finding)
end
end
end