Packages
sobelow
0.6.2
0.14.1
0.14.0
0.13.0
0.12.2
0.12.1
0.12.0
0.11.1
0.11.0
0.10.6
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.0
0.7.8
0.7.7
0.7.6
0.7.5
0.7.4
0.7.3
0.7.2
0.7.1
0.7.0
0.6.9
0.6.8
0.6.7
0.6.6
0.6.5
0.6.4
0.6.3
0.6.2
0.6.1
0.6.0
0.5.4
0.5.3
0.5.2
0.5.1
0.5.0
0.4.9
0.4.8
0.4.7
0.4.6
0.4.5
0.4.4
0.4.3
0.4.2
0.4.1
0.4.0
0.3.12
0.3.11
0.3.10
0.3.9
0.3.8
0.3.7
0.3.6
0.3.5
0.3.4
0.3.3
0.3.2
0.3.1
0.3.0
0.2.8
0.2.7
0.2.6
0.2.5
0.2.4
0.2.3
Security-focused static analysis for Elixir & the Phoenix framework
Current section
Files
Jump to
Current section
Files
lib/sobelow/config/secrets.ex
defmodule Sobelow.Config.Secrets do
@moduledoc """
# Hard-coded Secrets
In the event of a source-code disclosure via file read
vulnerability, accidental commit, etc, hard-coded secrets
may be exposed to an attacker. This may result in
database access, cookie forgery, and other issues.
Sobelow detects missing hard-coded secrets by checking the prod
configuration.
Hard-coded secrets checks can be ignored with the following command:
$ mix sobelow -i Config.Secrets
"""
alias Sobelow.Config
alias Sobelow.Utils
use Sobelow.Finding
def run(dir_path, configs) do
Enum.each configs, fn conf ->
path = dir_path <> conf
if conf != "config.exs" do
Config.get_configs_by_file(:secret_key_base, path)
|> enumerate_secrets(path)
end
Utils.get_fuzzy_configs("password", path)
|> enumerate_fuzzy_secrets(path)
Utils.get_fuzzy_configs("secret", path)
|> enumerate_fuzzy_secrets(path)
end
end
defp enumerate_secrets(secrets, file) do
file = Path.expand(file, "") |> String.replace_prefix("/", "")
Enum.each secrets, fn {{_, [line: lineno], _} = fun, key, val} ->
if is_binary(val) && String.length(val) > 0 && !is_env_var?(val) do
add_finding(file, lineno, fun, key, val)
end
end
end
defp enumerate_fuzzy_secrets(secrets, file) do
file = Path.expand(file, "") |> String.replace_prefix("/", "")
Enum.each secrets, fn {{_, [line: lineno], _} = fun, vals} ->
Enum.each vals, fn {k, v} ->
if is_binary(v) && String.length(v) > 0 && !is_env_var?(v) do
add_finding(file, lineno, fun, k, v)
end
end
end
end
def is_env_var?("${" <> rest) do
String.ends_with?(rest, "}")
end
def is_env_var?(_), do: false
defp add_finding(file, line_no, fun, key, _val) do
type = "Hardcoded Secret"
case Sobelow.get_env(:format) do
"json" ->
finding = [type: type]
Sobelow.log_finding(finding, :high)
"txt" ->
IO.puts IO.ANSI.red() <> type <> " - High Confidence" <> IO.ANSI.reset()
IO.puts "File: #{file} - line #{line_no}"
IO.puts "Type: #{key}"
if Sobelow.get_env(:with_code), do: Utils.print_code(fun, :highlight_all)
IO.puts "\n-----------------------------------------------\n"
"compact" ->
Utils.log_compact_finding(type, file, line_no, :high)
_ ->
Sobelow.log_finding(type, :high)
end
end
end