chore: add sobelow for security scans (#82)

zorn · Sep 8, 2024 · c9b1abd · c9b1abd
1 parent 371383a
commit c9b1abd
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 11 deletions.
diff --git a/.github/workflows/code-quality.yaml b/.github/workflows/code-quality.yaml
@@ -41,7 +41,6 @@ jobs:
         run: mix xref graph --label compile-connected --fail-above 0
         if: always()
 
-      # FIXME: https://github.com/zorn/flick/issues/69
-      # - name: Check for security vulnerabilities in Phoenix project
-      #   run: mix sobelow
-      #   if: always()
+      - name: Check for security vulnerabilities in Phoenix project
+        run: mix sobelow
+        if: always()
diff --git a/config/prod.exs b/config/prod.exs
@@ -1,11 +1,15 @@
 import Config
 
-# Note we also include the path to a cache manifest
-# containing the digested version of static files. This
-# manifest is generated by the `mix assets.deploy` task,
-# which you should run after static files are built and
-# before starting your production server.
-config :flick, FlickWeb.Endpoint, cache_static_manifest: "priv/static/cache_manifest.json"
+config :flick, FlickWeb.Endpoint,
+  # Note we also include the path to a cache manifest
+  # containing the digested version of static files. This
+  # manifest is generated by the `mix assets.deploy` task,
+  # which you should run after static files are built and
+  # before starting your production server.
+  cache_static_manifest: "priv/static/cache_manifest.json",
+
+  # https://hexdocs.pm/phoenix/using_ssl.html#hsts
+  force_ssl: [hsts: true]
 
 # Configures Swoosh API Client
 config :swoosh, api_client: Swoosh.ApiClient.Finch, finch_name: Flick.Finch

diff --git a/lib/flick_web/router.ex b/lib/flick_web/router.ex
@@ -9,7 +9,13 @@ defmodule FlickWeb.Router do
     plug :fetch_live_flash
     plug :put_root_layout, html: {FlickWeb.Layouts, :root}
     plug :protect_from_forgery
-    plug :put_secure_browser_headers
+
+    # Tailwind uses SVG data URLs for icons,
+    # so we need to allow them with `img-src`.
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+    plug :put_secure_browser_headers, %{
+      "content-security-policy" => "default-src 'self'; img-src 'self' data:"
+    }
   end
 
   pipeline :admin do

diff --git a/mix.exs b/mix.exs
@@ -51,6 +51,9 @@ defmodule Flick.MixProject do
       # To Render Markdown.
       {:earmark, "~> 1.4"},
 
+      # For security scans.
+      {:sobelow, "~> 0.13", only: [:dev, :test], runtime: false},
+
       # Unorganized
       {:bandit, "~> 1.2"},
       {:dns_cluster, "~> 0.1.1"},

diff --git a/mix.lock b/mix.lock
@@ -47,6 +47,7 @@
   "plug": {:hex, :plug, "1.16.1", "40c74619c12f82736d2214557dedec2e9762029b2438d6d175c5074c933edc9d", [:mix], [{:mime, "~> 1.0 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:plug_crypto, "~> 1.1.1 or ~> 1.2 or ~> 2.0", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4.3 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "a13ff6b9006b03d7e33874945b2755253841b238c34071ed85b0e86057f8cddc"},
   "plug_crypto": {:hex, :plug_crypto, "2.1.0", "f44309c2b06d249c27c8d3f65cfe08158ade08418cf540fd4f72d4d6863abb7b", [:mix], [], "hexpm", "131216a4b030b8f8ce0f26038bc4421ae60e4bb95c5cf5395e1421437824c4fa"},
   "postgrex": {:hex, :postgrex, "0.19.1", "73b498508b69aded53907fe48a1fee811be34cc720e69ef4ccd568c8715495ea", [:mix], [{:db_connection, "~> 2.1", [hex: :db_connection, repo: "hexpm", optional: false]}, {:decimal, "~> 1.5 or ~> 2.0", [hex: :decimal, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:table, "~> 0.1.0", [hex: :table, repo: "hexpm", optional: true]}], "hexpm", "8bac7885a18f381e091ec6caf41bda7bb8c77912bb0e9285212829afe5d8a8f8"},
+  "sobelow": {:hex, :sobelow, "0.13.0", "218afe9075904793f5c64b8837cc356e493d88fddde126a463839351870b8d1e", [:mix], [{:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}], "hexpm", "cd6e9026b85fc35d7529da14f95e85a078d9dd1907a9097b3ba6ac7ebbe34a0d"},
   "ssl_verify_fun": {:hex, :ssl_verify_fun, "1.1.7", "354c321cf377240c7b8716899e182ce4890c5938111a1296add3ec74cf1715df", [:make, :mix, :rebar3], [], "hexpm", "fe4c190e8f37401d30167c8c405eda19469f34577987c76dde613e838bbc67f8"},
   "swoosh": {:hex, :swoosh, "1.16.10", "04be6e2eb1a31aa0aa21a731175c81cc3998189456a92daf13d44a5c754afcf5", [:mix], [{:bandit, ">= 1.0.0", [hex: :bandit, repo: "hexpm", optional: true]}, {:cowboy, "~> 1.1 or ~> 2.4", [hex: :cowboy, repo: "hexpm", optional: true]}, {:ex_aws, "~> 2.1", [hex: :ex_aws, repo: "hexpm", optional: true]}, {:finch, "~> 0.6", [hex: :finch, repo: "hexpm", optional: true]}, {:gen_smtp, "~> 0.13 or ~> 1.0", [hex: :gen_smtp, repo: "hexpm", optional: true]}, {:hackney, "~> 1.9", [hex: :hackney, repo: "hexpm", optional: true]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}, {:mail, "~> 0.2", [hex: :mail, repo: "hexpm", optional: true]}, {:mime, "~> 1.1 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:mua, "~> 0.2.3", [hex: :mua, repo: "hexpm", optional: true]}, {:multipart, "~> 0.4", [hex: :multipart, repo: "hexpm", optional: true]}, {:plug, "~> 1.9", [hex: :plug, repo: "hexpm", optional: true]}, {:plug_cowboy, ">= 1.0.0", [hex: :plug_cowboy, repo: "hexpm", optional: true]}, {:req, "~> 0.5 or ~> 1.0", [hex: :req, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4.2 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "756be04db173c0cbe318f1dfe2bcc88aa63aed78cf5a4b02b61b36ee11fc716a"},
   "tailwind": {:hex, :tailwind, "0.2.3", "277f08145d407de49650d0a4685dc062174bdd1ae7731c5f1da86163a24dfcdb", [:mix], [{:castore, ">= 0.0.0", [hex: :castore, repo: "hexpm", optional: false]}], "hexpm", "8e45e7a34a676a7747d04f7913a96c770c85e6be810a1d7f91e713d3a3655b5d"},