From c9b1abd53888326b6f3191a3c9aa75b7a8f62a86 Mon Sep 17 00:00:00 2001 From: Mike Zornek Date: Sun, 8 Sep 2024 13:15:38 -0400 Subject: [PATCH] chore: add sobelow for security scans (#82) --- .github/workflows/code-quality.yaml | 7 +++---- config/prod.exs | 16 ++++++++++------ lib/flick_web/router.ex | 8 +++++++- mix.exs | 3 +++ mix.lock | 1 + 5 files changed, 24 insertions(+), 11 deletions(-) diff --git a/.github/workflows/code-quality.yaml b/.github/workflows/code-quality.yaml index a085c59..4e08277 100644 --- a/.github/workflows/code-quality.yaml +++ b/.github/workflows/code-quality.yaml @@ -41,7 +41,6 @@ jobs: run: mix xref graph --label compile-connected --fail-above 0 if: always() - # FIXME: https://github.com/zorn/flick/issues/69 - # - name: Check for security vulnerabilities in Phoenix project - # run: mix sobelow - # if: always() + - name: Check for security vulnerabilities in Phoenix project + run: mix sobelow + if: always() diff --git a/config/prod.exs b/config/prod.exs index 648f793..c7d1bf8 100644 --- a/config/prod.exs +++ b/config/prod.exs @@ -1,11 +1,15 @@ import Config -# Note we also include the path to a cache manifest -# containing the digested version of static files. This -# manifest is generated by the `mix assets.deploy` task, -# which you should run after static files are built and -# before starting your production server. -config :flick, FlickWeb.Endpoint, cache_static_manifest: "priv/static/cache_manifest.json" +config :flick, FlickWeb.Endpoint, + # Note we also include the path to a cache manifest + # containing the digested version of static files. This + # manifest is generated by the `mix assets.deploy` task, + # which you should run after static files are built and + # before starting your production server. + cache_static_manifest: "priv/static/cache_manifest.json", + + # https://hexdocs.pm/phoenix/using_ssl.html#hsts + force_ssl: [hsts: true] # Configures Swoosh API Client config :swoosh, api_client: Swoosh.ApiClient.Finch, finch_name: Flick.Finch diff --git a/lib/flick_web/router.ex b/lib/flick_web/router.ex index 43e15e4..f667172 100644 --- a/lib/flick_web/router.ex +++ b/lib/flick_web/router.ex @@ -9,7 +9,13 @@ defmodule FlickWeb.Router do plug :fetch_live_flash plug :put_root_layout, html: {FlickWeb.Layouts, :root} plug :protect_from_forgery - plug :put_secure_browser_headers + + # Tailwind uses SVG data URLs for icons, + # so we need to allow them with `img-src`. + # https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP + plug :put_secure_browser_headers, %{ + "content-security-policy" => "default-src 'self'; img-src 'self' data:" + } end pipeline :admin do diff --git a/mix.exs b/mix.exs index 1116508..b7a4001 100644 --- a/mix.exs +++ b/mix.exs @@ -51,6 +51,9 @@ defmodule Flick.MixProject do # To Render Markdown. {:earmark, "~> 1.4"}, + # For security scans. + {:sobelow, "~> 0.13", only: [:dev, :test], runtime: false}, + # Unorganized {:bandit, "~> 1.2"}, {:dns_cluster, "~> 0.1.1"}, diff --git a/mix.lock b/mix.lock index f692730..babb50c 100644 --- a/mix.lock +++ b/mix.lock @@ -47,6 +47,7 @@ "plug": {:hex, :plug, "1.16.1", "40c74619c12f82736d2214557dedec2e9762029b2438d6d175c5074c933edc9d", [:mix], [{:mime, "~> 1.0 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:plug_crypto, "~> 1.1.1 or ~> 1.2 or ~> 2.0", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4.3 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "a13ff6b9006b03d7e33874945b2755253841b238c34071ed85b0e86057f8cddc"}, "plug_crypto": {:hex, :plug_crypto, "2.1.0", "f44309c2b06d249c27c8d3f65cfe08158ade08418cf540fd4f72d4d6863abb7b", [:mix], [], "hexpm", "131216a4b030b8f8ce0f26038bc4421ae60e4bb95c5cf5395e1421437824c4fa"}, "postgrex": {:hex, :postgrex, "0.19.1", "73b498508b69aded53907fe48a1fee811be34cc720e69ef4ccd568c8715495ea", [:mix], [{:db_connection, "~> 2.1", [hex: :db_connection, repo: "hexpm", optional: false]}, {:decimal, "~> 1.5 or ~> 2.0", [hex: :decimal, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:table, "~> 0.1.0", [hex: :table, repo: "hexpm", optional: true]}], "hexpm", "8bac7885a18f381e091ec6caf41bda7bb8c77912bb0e9285212829afe5d8a8f8"}, + "sobelow": {:hex, :sobelow, "0.13.0", "218afe9075904793f5c64b8837cc356e493d88fddde126a463839351870b8d1e", [:mix], [{:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}], "hexpm", "cd6e9026b85fc35d7529da14f95e85a078d9dd1907a9097b3ba6ac7ebbe34a0d"}, "ssl_verify_fun": {:hex, :ssl_verify_fun, "1.1.7", "354c321cf377240c7b8716899e182ce4890c5938111a1296add3ec74cf1715df", [:make, :mix, :rebar3], [], "hexpm", "fe4c190e8f37401d30167c8c405eda19469f34577987c76dde613e838bbc67f8"}, "swoosh": {:hex, :swoosh, "1.16.10", "04be6e2eb1a31aa0aa21a731175c81cc3998189456a92daf13d44a5c754afcf5", [:mix], [{:bandit, ">= 1.0.0", [hex: :bandit, repo: "hexpm", optional: true]}, {:cowboy, "~> 1.1 or ~> 2.4", [hex: :cowboy, repo: "hexpm", optional: true]}, {:ex_aws, "~> 2.1", [hex: :ex_aws, repo: "hexpm", optional: true]}, {:finch, "~> 0.6", [hex: :finch, repo: "hexpm", optional: true]}, {:gen_smtp, "~> 0.13 or ~> 1.0", [hex: :gen_smtp, repo: "hexpm", optional: true]}, {:hackney, "~> 1.9", [hex: :hackney, repo: "hexpm", optional: true]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}, {:mail, "~> 0.2", [hex: :mail, repo: "hexpm", optional: true]}, {:mime, "~> 1.1 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:mua, "~> 0.2.3", [hex: :mua, repo: "hexpm", optional: true]}, {:multipart, "~> 0.4", [hex: :multipart, repo: "hexpm", optional: true]}, {:plug, "~> 1.9", [hex: :plug, repo: "hexpm", optional: true]}, {:plug_cowboy, ">= 1.0.0", [hex: :plug_cowboy, repo: "hexpm", optional: true]}, {:req, "~> 0.5 or ~> 1.0", [hex: :req, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4.2 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "756be04db173c0cbe318f1dfe2bcc88aa63aed78cf5a4b02b61b36ee11fc716a"}, "tailwind": {:hex, :tailwind, "0.2.3", "277f08145d407de49650d0a4685dc062174bdd1ae7731c5f1da86163a24dfcdb", [:mix], [{:castore, ">= 0.0.0", [hex: :castore, repo: "hexpm", optional: false]}], "hexpm", "8e45e7a34a676a7747d04f7913a96c770c85e6be810a1d7f91e713d3a3655b5d"},