Michael Lubas, 2023-03-30
0.12.1 was released recently, adding support for HEEx templates, which are used in Phoenix LiveView. Sobelow is a static analysis tool for finding security issues in Elixir and Phoenix code. If you’re using Elixir in production, running Sobelow is highly recommended, because it automatically checks for common security issues.
0.12.1 is recommended over
0.12.0, because of an issue with castore.
Cross Site Scripting (XSS) refers to a class of vulnerability in web applications, where an attacker is able to inject a script into the browsing context of a victim. Potion Shop, an intentionally vulnerable Elixir/Phoenix application, has this problem:
When the victim browses to the potion review page, the script executes:
mix sobelow -i SQL,Config ignores findings related to
Config, because we are only interested in XSS currently. Sobelow
0.11.1 does not detect the XSS:
Testing Sobelow against Potion Shop was how I realized HEEx templates were not being scanned. My PR to add support was included in this release.
Upgrading Sobelow to
0.12.1 detects the issue:
This is because
0.12.1 adds support for
.heex templates. HEEx is frequently used in LiveView applications, so upgrading is highly recommended.
Paraxial.io customers using the vulnerability scanning feature can upgrade their Paraxial agent to
2.3.1, which includes Sobelow version
0.12.1, to ensure their HEEx templates are being scanned correctly. https://hexdocs.pm/paraxial/changelog.html
Thank you to Holden Oullette for taking over maintenance of the Sobelow project.
Subscribe to stay up to date on new posts.