Packages
sobelow
0.6.5
0.14.1
0.14.0
0.13.0
0.12.2
0.12.1
0.12.0
0.11.1
0.11.0
0.10.6
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.0
0.7.8
0.7.7
0.7.6
0.7.5
0.7.4
0.7.3
0.7.2
0.7.1
0.7.0
0.6.9
0.6.8
0.6.7
0.6.6
0.6.5
0.6.4
0.6.3
0.6.2
0.6.1
0.6.0
0.5.4
0.5.3
0.5.2
0.5.1
0.5.0
0.4.9
0.4.8
0.4.7
0.4.6
0.4.5
0.4.4
0.4.3
0.4.2
0.4.1
0.4.0
0.3.12
0.3.11
0.3.10
0.3.9
0.3.8
0.3.7
0.3.6
0.3.5
0.3.4
0.3.3
0.3.2
0.3.1
0.3.0
0.2.8
0.2.7
0.2.6
0.2.5
0.2.4
0.2.3
Security-focused static analysis for Elixir & the Phoenix framework
Current section
Files
Jump to
Current section
Files
lib/sobelow/config/csrf.ex
defmodule Sobelow.Config.CSRF do @moduledoc """ # Cross-Site Request Forgery In a Cross-Site Request Forgery (CSRF) attack, an untrusted application can cause a user's browser to submit requests or perform actions on the user's behalf. Read more about CSRF here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) Cross-Site Request Forgery is flagged by `sobelow` when a pipeline accepts "html" requests, but does not implement the `:protect_from_forgery` plug. CSRF checks can be ignored with the following command: $ mix sobelow -i Config.CSRF """ alias Sobelow.Utils use Sobelow.Finding def run(router, _) do Utils.get_pipelines(router) |> Enum.each(&is_vuln_pipeline?/1) end defp is_vuln_pipeline?(pipeline) do if Utils.is_vuln_pipeline?(pipeline, :csrf) do add_finding(pipeline) end end defp add_finding({:pipeline, [line: line_no], [pipeline_name, _]} = pipeline) do type = "Missing CSRF Protections" case Sobelow.format() do "json" -> finding = [ type: type, pipeline: "#{pipeline_name}:#{line_no}" ] Sobelow.log_finding(finding, :high) "txt" -> Sobelow.log_finding(type, :high) IO.puts IO.ANSI.red() <> type <> " - High Confidence" <> IO.ANSI.reset() IO.puts "Pipeline: #{pipeline_name}:#{line_no}" if Sobelow.get_env(:verbose), do: Utils.print_code(pipeline, pipeline_name) IO.puts "\n-----------------------------------------------\n" "compact" -> Utils.log_compact_finding(type, :high) _ -> Sobelow.log_finding(type, :high) end endend