Sobelow - Uncover vulnerabilities in your Phoenix projects

Chat / Discussions
,
42

You can ignore findings in Sobelow on a per-function basis now! You can also use the ignore flag to ignore classes of vulnerabilities, which has been around since the beginning.

2 Likes
43

Just pushed an update – Sobelow also now checks for insecure use of String.to_atom, which can lead to memory exhaustion.

Sorry for the multiple updates today! I wasn’t intending on pushing this until a little later in the week, but >20% of my test corpus was vulnerable, so I thought it would be a good one to push out sooner than later :slight_smile:

1 Like
44

Sobelow - 0.3.5

With this release, Sobelow now flags additional denial of service vectors, as well as potentially insecure file/path function use. Problems with file/path functionality are a little less straightforward, so here’s some background:

Insecure use of File and Path

In Elixir, File methods are null-terminated, while Path functions are not. This may cause security issues in certain situations. For example:


user_input = "/var/www/secret.txt\0/name"
path = Path.dirname(user_input)
public_file = path <> "/public.txt"

File.read(public_file)

Because Path functions are not null-terminated, this will attempt to read the file, “/var/www/secret.txt\0/public.txt”. However, due to the null-byte termination of File functions “secret.txt” will ultimately be read.

Updated docs can be found in the repository: https://github.com/nccgroup/sobelow
And you can update with mix archive.install hex sobelow.

1 Like
45

Sobelow - 0.3.6

Sobelow will now warn you if your application is susceptible to publicly disclosed vulnerabilities. This was a much-requested feature in previous disclosure threads, so hopefully it gets put to good use!

Random info

  • Sobelow automatically identifies valid vulnerabilities in around 90% of my 30ish-project body of tests. This is excluding HTTPS checks.
  • The most common vulnerabilities are: missing HTTPS, known-vulnerable packages, directory traversal, and memory exhaustion.
  • This will probably be the last addition I make to vulnerability checks for the next couple of weeks. I’m going to focus on refactoring and getting the API/configs locked down.
6 Likes
46

For anyone who hasn’t given Sobelow a try yet, here is a great and thorough post on getting started:

https://brainlid.org/elixir/2017/06/14/security-scanning-phoenix.html

Also - I’ve been out of the country, so no updates this week. But next week should have some nice additions!

4 Likes
47

Whoo! I’m waiting for sobelow to detect issues in my main work code! It has not as of yet. :slight_smile:

2 Likes
48

Well, unfortunately(?), that probably won’t happen this week! If things go as planned, this week will be some output formatting options (most likely just some simple JSON output), as well as the ability to save config options :slight_smile:

1 Like
49

Sobelow - 0.5.1

I wanted to give an update, since it’s been a while since the last (0.3.6). Updates include a number of output formatting options, the ability to run w/ a config file, additional vulnerability checks, bug fixes, and other general improvements. If you take a look at the README, you will likely find some new, useful features.

As always, install the latest update with:

mix archive.install hex sobelow

If you run into any issues, let me know!

3 Likes
50

Installing it spewed a TON of warnings. ^.^;

╰─➤  mix archive.install hex sobelow
==> Elixir.Mix.Local.Installer.Fetcher
Running dependency resolution...
Dependency resolution completed:
  sobelow 0.5.1
* Getting sobelow (Hex package)
  Checking package (https://repo.hex.pm/tarballs/sobelow-0.5.1.tar)
  Fetched package
==> sobelow
Compiling 35 files (.ex)
warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/config/secrets.ex:19: Sobelow.Config.Secrets.get_details/0

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/xss/raw.ex:3: Sobelow.XSS.Raw.get_details/0

warning: this check/guard will always yield the same result
  lib/sobelow/config/secrets.ex:19

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/dos/string_to_atom.ex:15: Sobelow.DOS.StringToAtom.get_details/0

warning: this check/guard will always yield the same result
  lib/sobelow/dos/string_to_atom.ex:15

warning: this clause cannot match because a previous clause at line 3 always matches
  lib/sobelow/xss/raw.ex:3

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/traversal/file_module.ex:3: Sobelow.Traversal.FileModule.get_details/0

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/xss/send_resp.ex:3: Sobelow.XSS.SendResp.get_details/0

warning: this clause cannot match because a previous clause at line 3 always matches
  lib/sobelow/traversal/file_module.ex:3

warning: this clause cannot match because a previous clause at line 3 always matches
  lib/sobelow/xss/send_resp.ex:3

warning: this check/guard will always yield the same result
  lib/sobelow/traversal.ex:20

warning: this check/guard will always yield the same result
  lib/sobelow/sql.ex:18

warning: this check/guard will always yield the same result
  lib/sobelow/vuln.ex:13

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/misc/bin_to_term.ex:15: Sobelow.Misc.BinToTerm.get_details/0

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/ci/os.ex:3: Sobelow.CI.OS.get_details/0

warning: this check/guard will always yield the same result
  lib/sobelow/misc/bin_to_term.ex:15

warning: this clause cannot match because a previous clause at line 3 always matches
  lib/sobelow/ci/os.ex:3

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/vuln/plug_null.ex:4: Sobelow.Vuln.PlugNull.get_details/0

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/vuln/header_inject.ex:4: Sobelow.Vuln.HeaderInject.get_details/0

warning: this clause cannot match because a previous clause at line 4 always matches
  lib/sobelow/vuln/plug_null.ex:4

warning: this clause cannot match because a previous clause at line 4 always matches
  lib/sobelow/vuln/header_inject.ex:4

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/config/csrf.ex:21: Sobelow.Config.CSRF.get_details/0

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/misc/file_path.ex:28: Sobelow.Misc.FilePath.get_details/0

warning: this check/guard will always yield the same result
  lib/sobelow/config/csrf.ex:21

warning: this check/guard will always yield the same result
  lib/sobelow/misc/file_path.ex:28

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/vuln/redirect.ex:4: Sobelow.Vuln.Redirect.get_details/0

warning: this check/guard will always yield the same result
  lib/sobelow/ci.ex:18

warning: this clause cannot match because a previous clause at line 4 always matches
  lib/sobelow/vuln/redirect.ex:4

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/ci/system.ex:3: Sobelow.CI.System.get_details/0

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/config/hsts.ex:15: Sobelow.Config.HSTS.get_details/0

warning: this clause cannot match because a previous clause at line 3 always matches
  lib/sobelow/ci/system.ex:3

warning: this check/guard will always yield the same result
  lib/sobelow/config/hsts.ex:15

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/config/headers.ex:19: Sobelow.Config.Headers.get_details/0

warning: this check/guard will always yield the same result
  lib/sobelow/config/headers.ex:19

warning: this check/guard will always yield the same result
  lib/sobelow/xss.ex:22

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/vuln/cookie_rce.ex:4: Sobelow.Vuln.CookieRCE.get_details/0

warning: this clause cannot match because a previous clause at line 3 always matches
  lib/sobelow/misc.ex:3

warning: this clause cannot match because a previous clause at line 4 always matches
  lib/sobelow/vuln/cookie_rce.ex:4

warning: this clause cannot match because a previous clause at line 11 always matches
  lib/sobelow/config.ex:11

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/sql/query.ex:3: Sobelow.SQL.Query.get_details/0

warning: this clause cannot match because a previous clause at line 3 always matches
  lib/sobelow/dos.ex:3

warning: this clause cannot match because a previous clause at line 3 always matches
  lib/sobelow/sql/query.ex:3

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/traversal/send_file.ex:3: Sobelow.Traversal.SendFile.get_details/0

warning: this clause cannot match because a previous clause at line 3 always matches
  lib/sobelow/traversal/send_file.ex:3

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/config/https.ex:16: Sobelow.Config.HTTPS.get_details/0

warning: this check/guard will always yield the same result
  lib/sobelow/config/https.ex:16

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/sql/stream.ex:3: Sobelow.SQL.Stream.get_details/0

warning: this clause cannot match because a previous clause at line 3 always matches
  lib/sobelow/sql/stream.ex:3

warning: clauses for the same defp should be grouped together, defp maybe_highlight/5 was previously defined (lib/sobelow/utils.ex:78)
  lib/sobelow/utils.ex:92

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/dos/list_to_atom.ex:15: Sobelow.DOS.ListToAtom.get_details/0

warning: clauses for the same def should be grouped together, def extract_opts/1 was previously defined (lib/sobelow/utils.ex:467)
  lib/sobelow/utils.ex:474

warning: this check/guard will always yield the same result
  lib/sobelow/dos/list_to_atom.ex:15

warning: undefined module attribute @submodules, please remove access to @submodules or explicitly set it before access
  lib/sobelow/xss/content_type.ex:25: Sobelow.XSS.ContentType.get_details/0

warning: this check/guard will always yield the same result
  lib/sobelow/xss/content_type.ex:25

Generated sobelow app
Generated archive "sobelow-0.5.1.ez" with MIX_ENV=prod
Are you sure you want to install "sobelow-0.5.1.ez"? [Yn] Y
* creating /home/my_user/.mix/archives/sobelow-0.5.1
1 Like
51

Ah yes. The Elixir compiler really hates the little metaprogramming bit I did to prevent some code duplication in printing out information about finding categories. It’s been around since the first release, so I’m surprised this is the first time you’ve noticed it! :stuck_out_tongue:

The good news is that I’m planning on re-working that bit pretty soon. So the warnings should drop fairly significantly!

52

I’ve noticed it every time, just thought I’d report it now. ^.^

53

Lol. Well thanks, as always, for taking a look! Your input is definitely appreciated. I considered adding a note to the initial announcement pre-thanking you for looking, and pre-apologizing for Sobelow not flagging anything in your app :joy:

2 Likes
54

Lol!

I’m still awaiting it to flag something. I just made a huge amount of changes in a branch for the new redhat production deployment (I scan mainline, should probably scan everything), let me scan it right quick…:

╰─➤  mix sobelow
Error fetching version number.

##############################################
#                                            #
#          Running Sobelow - v0.5.1          #
#  Created by Griffin Byatt - @griffinbyatt  #
#     NCC Group - https://nccgroup.trust     #
#                                            #
##############################################

Hardcoded Secret - High Confidence
File: config/prod.secret.exs - line 4
Type: secret_key_base

-----------------------------------------------

Hardcoded Secret - High Confidence
File: config/prod.secret.exs - line 8
Type: password

-----------------------------------------------

HTTPS Not Enabled - High Confidence

-----------------------------------------------

... SCAN COMPLETE ...

Well the prod.secret.exs is dynamically pulled from the environment, so unsure why it is saying it is hardcoded. Same thing on line 8 too (false positives).

As for HTTPS, that is no longer enabled in the app since it is running behind an nginx reverse proxy that handles HTTPS itself, so another false positive. ^.^

1 Like
55

Very impressed with this tool. Just ran it on a pet project and it caught the hardcoded DB secrets. Curious to run it on our team’s repos tomorrow. Keep up the good work!

1 Like
56

Is there a temporary string in prod.secret.exs or something? The scanner should correctly not report secrets pulled via functions like System.get_env or environment variables set with “${ENV}”. If you could PM me the results of running mix sobelow -v that would be very helpful!

Awesome! Glad you’re finding it useful :slight_smile:

57

Rather it gets generated from scripts to generate a prod.secret.exs file from a template file of prod.secret.exs.eex. The prod.secret.exs file itself is ignored by git. Perhaps sobelow should ignore the same files that .gitignore ignores?

58

Oh, that makes total sense! That’s something I’ll definitely look into. For a nearer-term solution, there is currently an --ignore-files flag you can use (more likely in a .sobelow-conf file than actually passed on the command line).

Thanks again!

59

Ooo, what is the format of the .sobelow-conf file so I can put that in? :slight_smile:

Also, how can I have it ignore the HTTPS not enabled (not the entire prod.exs file) since nginx handles that?

60

The easiest thing you could do is:

mix sobelow -i Config.HTTPS --ignore-files config/prod.secret.exs --save-config

Then you can run with:

mix sobelow --config

The format is basically just a keyword list, but a --save-config is helpful to get it started :slight_smile:

61

Nice! A config helper! Awesome!

Hmm, do you have to run it with --config or is that the default? It’d be nice not to specify it every time. ^.^

EDIT: Apparently have to use --config, how do we set that as the default?

Also now:

╰─➤  mix sobelow --config
zsh: correct 'sobelow' to '.sobelow' [nyae]? n
##############################################
#                                            #
#          Running Sobelow - v0.5.1          #
#  Created by Griffin Byatt - @griffinbyatt  #
#     NCC Group - https://nccgroup.trust     #
#                                            #
##############################################

... SCAN COMPLETE ...

^.^

The .sobelow file it creates is a bit irritating, but eh… ^.^