From ee9177b88e343ffab809cad06768af87157c9cf1 Mon Sep 17 00:00:00 2001 From: Doc Ritezel Date: Sun, 21 Jan 2018 22:37:34 -0800 Subject: [PATCH] Configure Sobelow to scan for vulnerabilities --- .gitignore | 3 +++ .sobelow-conf | 10 ++++++++++ circle.yml | 3 ++- lib/explorer_web/router.ex | 8 +++++++- mix.exs | 1 + mix.lock | 1 + 6 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 .sobelow-conf diff --git a/.gitignore b/.gitignore index 1c9e1f73c7..9f03dd3c94 100644 --- a/.gitignore +++ b/.gitignore @@ -28,3 +28,6 @@ npm-debug.log # Wallaby screenshots screenshots/ + +# Sobelow +.sobelow diff --git a/.sobelow-conf b/.sobelow-conf new file mode 100644 index 0000000000..be1bf49d99 --- /dev/null +++ b/.sobelow-conf @@ -0,0 +1,10 @@ +[ + verbose: false, + private: true, + skip: false, + router: "", + exit: "low", + format: "compact", + ignore: [""], + ignore_files: [""] +] diff --git a/circle.yml b/circle.yml index 967acc5639..195144c355 100644 --- a/circle.yml +++ b/circle.yml @@ -42,7 +42,8 @@ dependencies: test: pre: - - mix credo --strict + - mix credo + - mix sobelow --private --compact --exit Low - cd assets && npm run eslint -- --format=junit --output-file="$CIRCLE_TEST_REPORTS/eslint/junit.xml" && cd .. override: - mix test diff --git a/lib/explorer_web/router.ex b/lib/explorer_web/router.ex index 0669180633..6a5fe4f34a 100644 --- a/lib/explorer_web/router.ex +++ b/lib/explorer_web/router.ex @@ -6,7 +6,13 @@ defmodule ExplorerWeb.Router do plug :fetch_session plug :fetch_flash plug :protect_from_forgery - plug :put_secure_browser_headers + plug :put_secure_browser_headers, %{ + "content-security-policy" => "\ + default-src 'self';\ + script-src 'self' 'unsafe-inline' 'unsafe-eval';\ + style-src 'self' 'unsafe-inline' 'unsafe-eval'\ + " + } plug SetLocale, gettext: ExplorerWeb.Gettext, default_locale: "en" end diff --git a/mix.exs b/mix.exs index 84a0292256..4cca33ffed 100644 --- a/mix.exs +++ b/mix.exs @@ -54,6 +54,7 @@ defmodule Explorer.Mixfile do {:phoenix_pubsub_redis, "~> 2.1.0", only: [:prod]}, {:postgrex, ">= 0.0.0"}, {:set_locale, github: "minifast/set_locale", branch: "master"}, # Waiting on https://github.com/smeevil/set_locale/pull/9 + {:sobelow, ">= 0.0.0", only: [:dev, :test], runtime: false}, {:timex, "~> 3.1.24"}, {:timex_ecto, "~> 3.2.1"}, {:wallaby, "~> 0.19.2", only: [:test], runtime: false}, diff --git a/mix.lock b/mix.lock index 5f503eb99a..dc683bb354 100644 --- a/mix.lock +++ b/mix.lock @@ -34,6 +34,7 @@ "redix": {:hex, :redix, "0.6.1", "20986b0e02f02b13e6f53c79a1ae70aa83147488c408f40275ec261f5bb0a6d0", [:mix], [{:connection, "~> 1.0", [hex: :connection, repo: "hexpm", optional: false]}], "hexpm"}, "redix_pubsub": {:hex, :redix_pubsub, "0.4.1", "26e6a69129072ac2226be49139019bdf951bb1e9e210a773c1372acf88100936", [:mix], [{:connection, "~> 1.0", [hex: :connection, repo: "hexpm", optional: false]}, {:redix, "~> 0.6.0", [hex: :redix, repo: "hexpm", optional: false]}], "hexpm"}, "set_locale": {:git, "https://github.com/minifast/set_locale.git", "da9ae029642bc0fbd9212c2aaf86c0adca70c084", [branch: "master"]}, + "sobelow": {:hex, :sobelow, "0.6.6", "04a2850fe31d241ef8c53b83ab9216f7659c19eb94bfb271d2b664e6953b4965", [:mix], [], "hexpm"}, "ssl_verify_fun": {:hex, :ssl_verify_fun, "1.1.1", "28a4d65b7f59893bc2c7de786dec1e1555bd742d336043fe644ae956c3497fbe", [:make, :rebar], [], "hexpm"}, "timex": {:hex, :timex, "3.1.24", "d198ae9783ac807721cca0c5535384ebdf99da4976be8cefb9665a9262a1e9e3", [:mix], [{:combine, "~> 0.7", [hex: :combine, repo: "hexpm", optional: false]}, {:gettext, "~> 0.10", [hex: :gettext, repo: "hexpm", optional: false]}, {:tzdata, "~> 0.1.8 or ~> 0.5", [hex: :tzdata, repo: "hexpm", optional: false]}], "hexpm"}, "timex_ecto": {:hex, :timex_ecto, "3.2.1", "461140751026e1ca03298fab628f78ab189e78784175f5e301eefa034ee530aa", [:mix], [{:ecto, "~> 2.2", [hex: :ecto, repo: "hexpm", optional: false]}, {:timex, "~> 3.1", [hex: :timex, repo: "hexpm", optional: false]}], "hexpm"},