Packages
sobelow
0.3.1
0.14.1
0.14.0
0.13.0
0.12.2
0.12.1
0.12.0
0.11.1
0.11.0
0.10.6
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.0
0.7.8
0.7.7
0.7.6
0.7.5
0.7.4
0.7.3
0.7.2
0.7.1
0.7.0
0.6.9
0.6.8
0.6.7
0.6.6
0.6.5
0.6.4
0.6.3
0.6.2
0.6.1
0.6.0
0.5.4
0.5.3
0.5.2
0.5.1
0.5.0
0.4.9
0.4.8
0.4.7
0.4.6
0.4.5
0.4.4
0.4.3
0.4.2
0.4.1
0.4.0
0.3.12
0.3.11
0.3.10
0.3.9
0.3.8
0.3.7
0.3.6
0.3.5
0.3.4
0.3.3
0.3.2
0.3.1
0.3.0
0.2.8
0.2.7
0.2.6
0.2.5
0.2.4
0.2.3
Security-focused static analysis for Elixir & the Phoenix framework
Current section
Files
Jump to
Current section
Files
lib/mix/tasks/sobelow.ex
defmodule Mix.Tasks.Sobelow do
use Mix.Task
@moduledoc """
Sobelow is a static analysis tool for discovering
vulnerabilities in Phoenix applications.
This tool should be run in the root of the project directory
with the following command:
mix sobelow
## Command line options
* `--root -r` - Specify application root directory
* `--with-code -v` - Print vulnerable code snippets
* `--ignore -i` - Ignore modules
* `--details -d` - Get module details
* `--all-details` - Get all module details
* `--private` - Skip update checks
* `--skip` - Skip functions flagged with `@sobelow_skip`
## Ignoring modules
If specific modules, or classes of modules are not relevant
to the scan, it is possible to ignore them with a
comma-separated list.
mix sobelow -i XSS.Raw,Traversal
## Supported modules
* XSS
* XSS.Raw
* XSS.SendResp
* SQL
* SQL.Query
* SQL.Stream
* Config
* Config.CSRF
* Config.HTTPS
* Config.Secrets
* Traversal
* Traversal.SendFile
* Traversal.FileModule
* Misc
* Misc.BinToTerm
* CI
* CI.System
* CI.OS
"""
@switches [with_code: :boolean,
root: :string,
ignore: :string,
details: :string,
all_details: :boolean,
private: :boolean,
diff: :string,
skip: :boolean,
router: :string]
@aliases [v: :with_code, r: :root, i: :ignore, d: :details]
def run(argv) do
{opts, _, _} = OptionParser.parse(argv, aliases: @aliases, switches: @switches)
with_code = Keyword.get(opts, :with_code, false)
root = Keyword.get(opts, :root, ".")
details = Keyword.get(opts, :details, nil)
all_details = Keyword.get(opts, :all_details)
private = Keyword.get(opts, :private, false)
diff = Keyword.get(opts, :diff, false)
skip = Keyword.get(opts, :skip, false)
router = Keyword.get(opts, :router)
set_env(:with_code, with_code)
set_env(:root, root)
set_env(:details, details)
set_env(:private, private)
set_env(:skip, skip)
set_env(:router, router)
ignored =
Keyword.get(opts, :ignore, "")
|> String.split(",")
set_env(:ignored, ignored)
cond do
diff ->
run_diff(argv)
!is_nil(all_details) ->
Sobelow.all_details()
!is_nil(details) ->
Sobelow.details()
true ->
Sobelow.run()
end
end
# This diff check is strictly used for testing/debugging and
# isn't meant for general use.
def run_diff(argv) do
diff_idx = Enum.find_index(argv, fn i -> i === "--diff" end)
{_, list} = List.pop_at(argv, diff_idx)
{diff_target, list} = List.pop_at(list, diff_idx)
args = Enum.join(list, " ") |> to_charlist()
diff_target = to_charlist(diff_target)
:os.cmd('mix sobelow ' ++ args ++ ' > sobelow.tempdiff')
IO.puts :os.cmd('diff sobelow.tempdiff ' ++ diff_target)
end
def set_env(key, value) do
Application.put_env(:sobelow, key, value)
end
end