Packages
sobelow
0.7.0
0.14.1
0.14.0
0.13.0
0.12.2
0.12.1
0.12.0
0.11.1
0.11.0
0.10.6
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.0
0.7.8
0.7.7
0.7.6
0.7.5
0.7.4
0.7.3
0.7.2
0.7.1
0.7.0
0.6.9
0.6.8
0.6.7
0.6.6
0.6.5
0.6.4
0.6.3
0.6.2
0.6.1
0.6.0
0.5.4
0.5.3
0.5.2
0.5.1
0.5.0
0.4.9
0.4.8
0.4.7
0.4.6
0.4.5
0.4.4
0.4.3
0.4.2
0.4.1
0.4.0
0.3.12
0.3.11
0.3.10
0.3.9
0.3.8
0.3.7
0.3.6
0.3.5
0.3.4
0.3.3
0.3.2
0.3.1
0.3.0
0.2.8
0.2.7
0.2.6
0.2.5
0.2.4
0.2.3
Security-focused static analysis for Elixir & the Phoenix framework
Current section
Files
Jump to
Current section
Files
lib/sobelow/config/hsts.ex
defmodule Sobelow.Config.HSTS do
@moduledoc """
# HSTS
The HTTP Strict Transport Security (HSTS) header helps
defend against man-in-the-middle attacks by preventing
unencrypted connections.
HSTS checks can be ignored with the following command:
$ mix sobelow -i Config.HSTS
"""
alias Sobelow.Config
alias Sobelow.Utils
use Sobelow.Finding
def run(dir_path, configs) do
Enum.each(configs, fn conf ->
path = dir_path <> conf
Config.get_configs_by_file(:https, path)
|> handle_https(path)
end)
end
defp handle_https(opts, file) do
# If HTTPS configs were found in any config file and there
# are no accompanying HSTS configs, add an HSTS finding.
if length(opts) > 0 && length(Utils.get_configs(:force_ssl, file)) === 0 do
add_finding(Path.basename(file))
end
end
defp add_finding(file) do
type = "HSTS Not Enabled"
case Sobelow.format() do
"json" ->
finding = [type: type]
Sobelow.log_finding(finding, :medium)
"txt" ->
Sobelow.log_finding(type, :medium)
IO.puts(IO.ANSI.yellow() <> type <> " - Medium Confidence" <> IO.ANSI.reset())
if Sobelow.get_env(:verbose), do: print_info(file)
IO.puts("\n-----------------------------------------------\n")
"compact" ->
Utils.log_compact_finding(type, :medium)
_ ->
Sobelow.log_finding(type, :medium)
end
end
defp print_info(file) do
IO.puts("\nHSTS configuration details could not be found in `#{file}`.")
end
end