sobelow
sobelow copied to clipboard
nccgroup
Document Sobelow.XSS.SendResp
Please provide documentation on the Sobelow.XSS.SendResp lint including ideal resolution.
Yeah, I've just has this come up as a "medium confidence" using Plug.Conn's send_resp even though no user-provided data is being included in the response.
I would like to see what's causing this, and what a suggested resolution would be. For now I've convinced myself what I'm doing is fine and I've disabled the warning.
I have it - I am passing the POST request into a function, but returning a hard-coded string
defp handle_body(conn, body) do
case parse(body) do
{:ok, tree} ->
Conn.assign(conn, :tree, tree)
{:error, _fatal} ->
conn
|> send_resp(@bad_request, invalid_xml_body())
|> halt
end
end
@spec invalid_xml_body :: String.t()
def invalid_xml_body, do: "INVALID XML"
The complaint:
"medium_confidence": [
{
"file": "lib/XXXX/plugs/xml.ex",
"line": 55,
"type": "XSS.SendResp: XSS in `send_resp`",
"variable": "invalid_xml_body"
}
]
},
"sobelow_version": "0.10.4",
"total_findings": 1
The return value was a function to allow use in unit test - by replacing the return value with a module attribute I was able to avoid the warning
We're still encountering this problem and it doesn't seem terribly useful without any documentation.
We are using a content engine to generate the string for the entire HTML page, and then using conn |> send_resp(:ok, content) with the returned content.
It's in a GET request too.
ongoing maintenance for this library has been an issue for a while now, see: https://github.com/nccgroup/sobelow/issues/113
I had a same issue where I was returning an API response from the controller. The controller action was this :
defmodule CauldronWeb.ApiController do
use CauldronWeb, :controller
# Some processing library
alias Cauldron.RequestProcessor
def api_specs(conn, params) do
{status_code, response_body} = RequestProcessor.handle_get_api_spec_request(params)
conn
|> send_resp(status_code, response_body |> Jason.encode!())
end
end
When I ran the mix sobelow command, I got the warning
{
"findings": {
"high_confidence": [],
"low_confidence": [],
"medium_confidence": [
{
"file": "lib/cauldron_web/controllers/api_controller.ex",
"line": 11,
"type": "XSS.SendResp: XSS in `send_resp`",
"variable": "|>"
}
]
},
"sobelow_version": "0.11.1"
}
To fix this I added the put_resp_content_type("application/json") before sending response. (I am having a JSON API)
The final code looked something like this
defmodule CauldronWeb.ApiController do
use CauldronWeb, :controller
alias Cauldron.RequestProcessor
def api_specs(conn, params) do
{status_code, response_body} = RequestProcessor.handle_get_api_spec_request(params)
conn
|> put_resp_content_type("application/json")
|> send_resp(status_code, response_body |> Jason.encode!())
end
end
Sobelow can't always know whether any given variable is user supplied input so it appears to be assuming that it could be if the response body is generated dynamically in any way, e.g. via a function call. That would be why @devstopfix was able to fix one problem by moving the body from a method to a module attribute.
At least I think that's how it works. The Sobelow code is pretty hard to follow. I can't tell how this would ever generate a medium confidence issue but that's what it's doing.
