Packages
sobelow
0.14.1
0.14.1
0.14.0
0.13.0
0.12.2
0.12.1
0.12.0
0.11.1
0.11.0
0.10.6
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.0
0.7.8
0.7.7
0.7.6
0.7.5
0.7.4
0.7.3
0.7.2
0.7.1
0.7.0
0.6.9
0.6.8
0.6.7
0.6.6
0.6.5
0.6.4
0.6.3
0.6.2
0.6.1
0.6.0
0.5.4
0.5.3
0.5.2
0.5.1
0.5.0
0.4.9
0.4.8
0.4.7
0.4.6
0.4.5
0.4.4
0.4.3
0.4.2
0.4.1
0.4.0
0.3.12
0.3.11
0.3.10
0.3.9
0.3.8
0.3.7
0.3.6
0.3.5
0.3.4
0.3.3
0.3.2
0.3.1
0.3.0
0.2.8
0.2.7
0.2.6
0.2.5
0.2.4
0.2.3
Security-focused static analysis for Elixir & the Phoenix framework
Current section
Files
Jump to
Current section
Files
lib/sobelow/vuln/plug_null.ex
defmodule Sobelow.Vuln.PlugNull do
@moduledoc """
# Plug Version Vulnerable to Null Byte Injection
For more information visit:
https://github.com/advisories/GHSA-2q6v-32mr-8p8x
Null Byte Injection checks can be ignored with the following command:
$ mix sobelow -i Vuln.PlugNull
"""
alias Sobelow.Config
alias Sobelow.Vuln
@uid 26
@finding_type "Vuln.PlugNull: Known Vulnerable Dependency - Update Plug"
use Sobelow.Finding
# we could _probably_ remove some of these versions since if Sobelow is running,
# it means there is a minimum version of Elixir on the system which the lower
# versions of Plug wouldn't support - will leave for now to reflect CVE
@vuln_vsn ~w(1.3.1 1.3.0 1.2.2 1.2.1 1.2.0 1.1.6 1.1.5 1.1.4 1.1.3 1.1.2 1.1.1 1.1.0 1.0.3 1.0.2 1.0.1 1.0.0)
def run(root) do
plug_conf = root <> "/deps/plug/mix.exs"
if File.exists?(plug_conf) do
vsn = Config.get_version(plug_conf)
if Enum.member?(@vuln_vsn, vsn) do
Vuln.print_finding(
plug_conf,
vsn,
"Plug",
"Null Byte Injection in Plug.Static",
"CVE-2017-1000052",
"PlugNull"
)
end
end
end
end