Elixir Security: Sobelow 0.12.1 Released, Adds LiveView Support

Michael Lubas, 2023-03-30

Sobelow version 0.12.1 was released recently, adding support for HEEx templates, which are used in Phoenix LiveView. Sobelow is a static analysis tool for finding security issues in Elixir and Phoenix code. If you’re using Elixir in production, running Sobelow is highly recommended, because it automatically checks for common security issues.

Note: 0.12.1 is recommended over 0.12.0, because of an issue with castore.

Cross Site Scripting (XSS) and Potion Shop

Cross Site Scripting (XSS) refers to a class of vulnerability in web applications, where an attacker is able to inject a script into the browsing context of a victim. Potion Shop, an intentionally vulnerable Elixir/Phoenix application, has this problem:

The raw/1 function in Phoenix does not escape HTML, meaning a malicious attacker can inject their own JavaScript. The attacker creates a malicious review:

When the victim browses to the potion review page, the script executes:

Detecting XSS with Sobelow

The command mix sobelow -i SQL,Config ignores findings related to SQL and Config, because we are only interested in XSS currently. Sobelow 0.11.1 does not detect the XSS:

Testing Sobelow against Potion Shop was how I realized HEEx templates were not being scanned. My PR to add support was included in this release.

Upgrading Sobelow to 0.12.1 detects the issue:

This is because 0.12.1 adds support for .heex templates. HEEx is frequently used in LiveView applications, so upgrading is highly recommended.

Paraxial.io customers using the vulnerability scanning feature can upgrade their Paraxial agent to 2.3.1, which includes Sobelow version 0.12.1, to ensure their HEEx templates are being scanned correctly. https://hexdocs.pm/paraxial/changelog.html

Thank you to Holden Oullette for taking over maintenance of the Sobelow project.

Paraxial.io stops data breaches by securing your Elixir and Phoenix apps. Detect and fix critical security issues today. Attending ElixirConf EU (April 17th) in Lisbon? Paraxial.io founder Michael Lubas is giving the training Elixir Application Security and will be speaking at the conference. Hope to see you there!

Subscribe to stay up to date on new posts.