Packages
sobelow
0.14.1
0.14.1
0.14.0
0.13.0
0.12.2
0.12.1
0.12.0
0.11.1
0.11.0
0.10.6
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.0
0.7.8
0.7.7
0.7.6
0.7.5
0.7.4
0.7.3
0.7.2
0.7.1
0.7.0
0.6.9
0.6.8
0.6.7
0.6.6
0.6.5
0.6.4
0.6.3
0.6.2
0.6.1
0.6.0
0.5.4
0.5.3
0.5.2
0.5.1
0.5.0
0.4.9
0.4.8
0.4.7
0.4.6
0.4.5
0.4.4
0.4.3
0.4.2
0.4.1
0.4.0
0.3.12
0.3.11
0.3.10
0.3.9
0.3.8
0.3.7
0.3.6
0.3.5
0.3.4
0.3.3
0.3.2
0.3.1
0.3.0
0.2.8
0.2.7
0.2.6
0.2.5
0.2.4
0.2.3
Security-focused static analysis for Elixir & the Phoenix framework
Current section
Files
Jump to
Current section
Files
lib/sobelow/vuln/redirect.ex
defmodule Sobelow.Vuln.Redirect do
@moduledoc """
# Phoenix Version Vulnerable to Arbitrary URL Redirection
For more information visit:
https://github.com/advisories/GHSA-cmfh-8f8r-fj96
URL Redirection checks can be ignored with the following command:
$ mix sobelow -i Vuln.Redirect
"""
alias Sobelow.Config
alias Sobelow.Vuln
@uid 27
@finding_type "Vuln.Redirect: Known Vulnerable Dependency - Update Phoenix"
use Sobelow.Finding
# we could _probably_ remove some of these versions since if Sobelow is running,
# it means there is a minimum version of Elixir on the system which the lower
# versions of Phoenix wouldn't support - will leave for now to reflect CVE
@vuln_vsn ~w(1.0.0 1.0.1 1.0.2 1.0.3 1.0.4 1.1.0 1.1.1 1.1.2 1.1.3 1.1.4 1.1.5 1.1.6 1.2.0 1.2.1 1.3.0-rc.0)
def run(root) do
plug_conf = root <> "/deps/phoenix/mix.exs"
if File.exists?(plug_conf) do
vsn = Config.get_version(plug_conf)
if Enum.member?(@vuln_vsn, vsn) do
Vuln.print_finding(
plug_conf,
vsn,
"Phoenix",
"Arbitrary URL Redirect",
"CVE-2017-1000163",
"Redirect"
)
end
end
end
end