Packages
sobelow
0.6.7
0.14.1
0.14.0
0.13.0
0.12.2
0.12.1
0.12.0
0.11.1
0.11.0
0.10.6
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.0
0.7.8
0.7.7
0.7.6
0.7.5
0.7.4
0.7.3
0.7.2
0.7.1
0.7.0
0.6.9
0.6.8
0.6.7
0.6.6
0.6.5
0.6.4
0.6.3
0.6.2
0.6.1
0.6.0
0.5.4
0.5.3
0.5.2
0.5.1
0.5.0
0.4.9
0.4.8
0.4.7
0.4.6
0.4.5
0.4.4
0.4.3
0.4.2
0.4.1
0.4.0
0.3.12
0.3.11
0.3.10
0.3.9
0.3.8
0.3.7
0.3.6
0.3.5
0.3.4
0.3.3
0.3.2
0.3.1
0.3.0
0.2.8
0.2.7
0.2.6
0.2.5
0.2.4
0.2.3
Security-focused static analysis for Elixir & the Phoenix framework
Current section
Files
Jump to
Current section
Files
lib/sobelow/config/csrf.ex
defmodule Sobelow.Config.CSRF do
@moduledoc """
# Cross-Site Request Forgery
In a Cross-Site Request Forgery (CSRF) attack, an untrusted
application can cause a user's browser to submit requests or perform
actions on the user's behalf.
Read more about CSRF here:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Cross-Site Request Forgery is flagged by `sobelow` when
a pipeline accepts "html" requests, but does not implement
the `:protect_from_forgery` plug.
CSRF checks can be ignored with the following command:
$ mix sobelow -i Config.CSRF
"""
alias Sobelow.Utils
use Sobelow.Finding
def run(router, _) do
Utils.get_pipelines(router)
|> Enum.each(&is_vuln_pipeline?/1)
end
defp is_vuln_pipeline?(pipeline) do
if Utils.is_vuln_pipeline?(pipeline, :csrf) do
add_finding(pipeline)
end
end
defp add_finding({:pipeline, [line: line_no], [pipeline_name, _]} = pipeline) do
type = "Missing CSRF Protections"
case Sobelow.format() do
"json" ->
finding = [
type: type,
pipeline: "#{pipeline_name}:#{line_no}"
]
Sobelow.log_finding(finding, :high)
"txt" ->
Sobelow.log_finding(type, :high)
IO.puts(IO.ANSI.red() <> type <> " - High Confidence" <> IO.ANSI.reset())
IO.puts("Pipeline: #{pipeline_name}:#{line_no}")
if Sobelow.get_env(:verbose), do: Utils.print_code(pipeline, pipeline_name)
IO.puts("\n-----------------------------------------------\n")
"compact" ->
Utils.log_compact_finding(type, :high)
_ ->
Sobelow.log_finding(type, :high)
end
end
end