You can ignore findings in Sobelow on a per-function basis now! You can also use the ignore
flag to ignore classes of vulnerabilities, which has been around since the beginning.
Just pushed an update – Sobelow also now checks for insecure use of String.to_atom
, which can lead to memory exhaustion.
Sorry for the multiple updates today! I wasn’t intending on pushing this until a little later in the week, but >20% of my test corpus was vulnerable, so I thought it would be a good one to push out sooner than later
Sobelow - 0.3.5
With this release, Sobelow now flags additional denial of service vectors, as well as potentially insecure file/path function use. Problems with file/path functionality are a little less straightforward, so here’s some background:
Insecure use of File
and Path
In Elixir, File
methods are null-terminated, while Path
functions are not. This may cause security issues in certain situations. For example:
user_input = "/var/www/secret.txt\0/name"
path = Path.dirname(user_input)
public_file = path <> "/public.txt"
File.read(public_file)
Because Path
functions are not null-terminated, this will attempt to read the file, “/var/www/secret.txt\0/public.txt”. However, due to the null-byte termination of File
functions “secret.txt” will ultimately be read.
Updated docs can be found in the repository: https://github.com/nccgroup/sobelow
And you can update with mix archive.install hex sobelow
.
Sobelow - 0.3.6
Sobelow will now warn you if your application is susceptible to publicly disclosed vulnerabilities. This was a much-requested feature in previous disclosure threads, so hopefully it gets put to good use!
Random info
- Sobelow automatically identifies valid vulnerabilities in around 90% of my 30ish-project body of tests. This is excluding HTTPS checks.
- The most common vulnerabilities are: missing HTTPS, known-vulnerable packages, directory traversal, and memory exhaustion.
- This will probably be the last addition I make to vulnerability checks for the next couple of weeks. I’m going to focus on refactoring and getting the API/configs locked down.
For anyone who hasn’t given Sobelow a try yet, here is a great and thorough post on getting started:
https://brainlid.org/elixir/2017/06/14/security-scanning-phoenix.html
Also - I’ve been out of the country, so no updates this week. But next week should have some nice additions!
Whoo! I’m waiting for sobelow to detect issues in my main work code! It has not as of yet.
Well, unfortunately(?), that probably won’t happen this week! If things go as planned, this week will be some output formatting options (most likely just some simple JSON output), as well as the ability to save config options
Sobelow - 0.5.1
I wanted to give an update, since it’s been a while since the last (0.3.6). Updates include a number of output formatting options, the ability to run w/ a config file, additional vulnerability checks, bug fixes, and other general improvements. If you take a look at the README, you will likely find some new, useful features.
As always, install the latest update with:
mix archive.install hex sobelow
If you run into any issues, let me know!
Installing it spewed a TON of warnings. ^.^;
╰─➤ mix archive.install hex sobelow
==> Elixir.Mix.Local.Installer.Fetcher
Running dependency resolution...
Dependency resolution completed:
sobelow 0.5.1
* Getting sobelow (Hex package)
Checking package (https://repo.hex.pm/tarballs/sobelow-0.5.1.tar)
Fetched package
==> sobelow
Compiling 35 files (.ex)
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/config/secrets.ex:19: Sobelow.Config.Secrets.get_details/0
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/xss/raw.ex:3: Sobelow.XSS.Raw.get_details/0
warning: this check/guard will always yield the same result
lib/sobelow/config/secrets.ex:19
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/dos/string_to_atom.ex:15: Sobelow.DOS.StringToAtom.get_details/0
warning: this check/guard will always yield the same result
lib/sobelow/dos/string_to_atom.ex:15
warning: this clause cannot match because a previous clause at line 3 always matches
lib/sobelow/xss/raw.ex:3
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/traversal/file_module.ex:3: Sobelow.Traversal.FileModule.get_details/0
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/xss/send_resp.ex:3: Sobelow.XSS.SendResp.get_details/0
warning: this clause cannot match because a previous clause at line 3 always matches
lib/sobelow/traversal/file_module.ex:3
warning: this clause cannot match because a previous clause at line 3 always matches
lib/sobelow/xss/send_resp.ex:3
warning: this check/guard will always yield the same result
lib/sobelow/traversal.ex:20
warning: this check/guard will always yield the same result
lib/sobelow/sql.ex:18
warning: this check/guard will always yield the same result
lib/sobelow/vuln.ex:13
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/misc/bin_to_term.ex:15: Sobelow.Misc.BinToTerm.get_details/0
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/ci/os.ex:3: Sobelow.CI.OS.get_details/0
warning: this check/guard will always yield the same result
lib/sobelow/misc/bin_to_term.ex:15
warning: this clause cannot match because a previous clause at line 3 always matches
lib/sobelow/ci/os.ex:3
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/vuln/plug_null.ex:4: Sobelow.Vuln.PlugNull.get_details/0
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/vuln/header_inject.ex:4: Sobelow.Vuln.HeaderInject.get_details/0
warning: this clause cannot match because a previous clause at line 4 always matches
lib/sobelow/vuln/plug_null.ex:4
warning: this clause cannot match because a previous clause at line 4 always matches
lib/sobelow/vuln/header_inject.ex:4
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/config/csrf.ex:21: Sobelow.Config.CSRF.get_details/0
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/misc/file_path.ex:28: Sobelow.Misc.FilePath.get_details/0
warning: this check/guard will always yield the same result
lib/sobelow/config/csrf.ex:21
warning: this check/guard will always yield the same result
lib/sobelow/misc/file_path.ex:28
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/vuln/redirect.ex:4: Sobelow.Vuln.Redirect.get_details/0
warning: this check/guard will always yield the same result
lib/sobelow/ci.ex:18
warning: this clause cannot match because a previous clause at line 4 always matches
lib/sobelow/vuln/redirect.ex:4
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/ci/system.ex:3: Sobelow.CI.System.get_details/0
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/config/hsts.ex:15: Sobelow.Config.HSTS.get_details/0
warning: this clause cannot match because a previous clause at line 3 always matches
lib/sobelow/ci/system.ex:3
warning: this check/guard will always yield the same result
lib/sobelow/config/hsts.ex:15
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/config/headers.ex:19: Sobelow.Config.Headers.get_details/0
warning: this check/guard will always yield the same result
lib/sobelow/config/headers.ex:19
warning: this check/guard will always yield the same result
lib/sobelow/xss.ex:22
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/vuln/cookie_rce.ex:4: Sobelow.Vuln.CookieRCE.get_details/0
warning: this clause cannot match because a previous clause at line 3 always matches
lib/sobelow/misc.ex:3
warning: this clause cannot match because a previous clause at line 4 always matches
lib/sobelow/vuln/cookie_rce.ex:4
warning: this clause cannot match because a previous clause at line 11 always matches
lib/sobelow/config.ex:11
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/sql/query.ex:3: Sobelow.SQL.Query.get_details/0
warning: this clause cannot match because a previous clause at line 3 always matches
lib/sobelow/dos.ex:3
warning: this clause cannot match because a previous clause at line 3 always matches
lib/sobelow/sql/query.ex:3
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/traversal/send_file.ex:3: Sobelow.Traversal.SendFile.get_details/0
warning: this clause cannot match because a previous clause at line 3 always matches
lib/sobelow/traversal/send_file.ex:3
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/config/https.ex:16: Sobelow.Config.HTTPS.get_details/0
warning: this check/guard will always yield the same result
lib/sobelow/config/https.ex:16
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/sql/stream.ex:3: Sobelow.SQL.Stream.get_details/0
warning: this clause cannot match because a previous clause at line 3 always matches
lib/sobelow/sql/stream.ex:3
warning: clauses for the same defp should be grouped together, defp maybe_highlight/5 was previously defined (lib/sobelow/utils.ex:78)
lib/sobelow/utils.ex:92
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/dos/list_to_atom.ex:15: Sobelow.DOS.ListToAtom.get_details/0
warning: clauses for the same def should be grouped together, def extract_opts/1 was previously defined (lib/sobelow/utils.ex:467)
lib/sobelow/utils.ex:474
warning: this check/guard will always yield the same result
lib/sobelow/dos/list_to_atom.ex:15
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
lib/sobelow/xss/content_type.ex:25: Sobelow.XSS.ContentType.get_details/0
warning: this check/guard will always yield the same result
lib/sobelow/xss/content_type.ex:25
Generated sobelow app
Generated archive "sobelow-0.5.1.ez" with MIX_ENV=prod
Are you sure you want to install "sobelow-0.5.1.ez"? [Yn] Y
* creating /home/my_user/.mix/archives/sobelow-0.5.1
Ah yes. The Elixir compiler really hates the little metaprogramming bit I did to prevent some code duplication in printing out information about finding categories. It’s been around since the first release, so I’m surprised this is the first time you’ve noticed it!
The good news is that I’m planning on re-working that bit pretty soon. So the warnings should drop fairly significantly!
I’ve noticed it every time, just thought I’d report it now. ^.^
Lol. Well thanks, as always, for taking a look! Your input is definitely appreciated. I considered adding a note to the initial announcement pre-thanking you for looking, and pre-apologizing for Sobelow not flagging anything in your app
Lol!
I’m still awaiting it to flag something. I just made a huge amount of changes in a branch for the new redhat production deployment (I scan mainline, should probably scan everything), let me scan it right quick…:
╰─➤ mix sobelow
Error fetching version number.
##############################################
# #
# Running Sobelow - v0.5.1 #
# Created by Griffin Byatt - @griffinbyatt #
# NCC Group - https://nccgroup.trust #
# #
##############################################
Hardcoded Secret - High Confidence
File: config/prod.secret.exs - line 4
Type: secret_key_base
-----------------------------------------------
Hardcoded Secret - High Confidence
File: config/prod.secret.exs - line 8
Type: password
-----------------------------------------------
HTTPS Not Enabled - High Confidence
-----------------------------------------------
... SCAN COMPLETE ...
Well the prod.secret.exs is dynamically pulled from the environment, so unsure why it is saying it is hardcoded. Same thing on line 8 too (false positives).
As for HTTPS, that is no longer enabled in the app since it is running behind an nginx reverse proxy that handles HTTPS itself, so another false positive. ^.^
Very impressed with this tool. Just ran it on a pet project and it caught the hardcoded DB secrets. Curious to run it on our team’s repos tomorrow. Keep up the good work!
Is there a temporary string in prod.secret.exs or something? The scanner should correctly not report secrets pulled via functions like System.get_env
or environment variables set with “${ENV}”. If you could PM me the results of running mix sobelow -v
that would be very helpful!
Awesome! Glad you’re finding it useful
Rather it gets generated from scripts to generate a prod.secret.exs
file from a template file of prod.secret.exs.eex
. The prod.secret.exs
file itself is ignored by git. Perhaps sobelow should ignore the same files that .gitignore
ignores?
Oh, that makes total sense! That’s something I’ll definitely look into. For a nearer-term solution, there is currently an --ignore-files
flag you can use (more likely in a .sobelow-conf file than actually passed on the command line).
Thanks again!
Ooo, what is the format of the .sobelow-conf
file so I can put that in?
Also, how can I have it ignore the HTTPS not enabled (not the entire prod.exs file) since nginx handles that?
The easiest thing you could do is:
mix sobelow -i Config.HTTPS --ignore-files config/prod.secret.exs --save-config
Then you can run with:
mix sobelow --config
The format is basically just a keyword list, but a --save-config
is helpful to get it started
Nice! A config helper! Awesome!
Hmm, do you have to run it with --config
or is that the default? It’d be nice not to specify it every time. ^.^
EDIT: Apparently have to use --config
, how do we set that as the default?
Also now:
╰─➤ mix sobelow --config
zsh: correct 'sobelow' to '.sobelow' [nyae]? n
##############################################
# #
# Running Sobelow - v0.5.1 #
# Created by Griffin Byatt - @griffinbyatt #
# NCC Group - https://nccgroup.trust #
# #
##############################################
... SCAN COMPLETE ...
^.^
The .sobelow
file it creates is a bit irritating, but eh… ^.^