Some sobelow fixes

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2021-01-22 19:11:13 +01:00 · 2021-01-22 19:11:13 +01:00 · 7b91367145
parent 21698f754d
commit 7b91367145
9 changed files with 17 additions and 8 deletions
--- a/.sobelow-conf
+++ b/.sobelow-conf
@ -2,11 +2,11 @@
  verbose: true,
  private: false,
  skip: true,
-  router: "",
-  exit: "false",
+  router: "lib/web/router.ex",
+  exit: "low",
  format: "txt",
  out: "",
-  threshold: "low",
-  ignore: ["Config.Secrets", "XSS", "Config.HTTPS"],
-  ignore_files: [""]
+  threshold: "medium",
+  ignore: ["Config.HTTPS"],
+  ignore_files: ["config/dev.1.secret.exs", "config/dev.2.secret.exs", "config/dev.3.secret.exs", "config/dev.secret.exs", "config/e2e.secret.exs", "config/prod.secret.exs", "config/test.secret.exs"]
 ]
--- a/.sobelow-skips
+++ b/.sobelow-skips
@ -0,0 +1,2 @@
+
+AACA51671C4B3C803ACBCA3FADE84CDE
--- a/lib/mobilizon.ex
+++ b/lib/mobilizon.ex
@ -76,10 +76,11 @@ defmodule Mobilizon do
    :ok
  end

+  # sobelow_skip ["DOS.StringToAtom"]
  @spec cachex_spec(atom, integer, integer, integer, function | nil) :: Supervisor.child_spec()
  defp cachex_spec(name, limit, default, interval, fallback \\ nil) do
    %{
-      id: :"cache_#{name}",
+      id: String.to_atom("cache_#{to_string(name)}"),
      start:
        {Cachex, :start_link,
         [
--- a/lib/mobilizon/discussions/discussions.ex
+++ b/lib/mobilizon/discussions/discussions.ex
@ -58,6 +58,7 @@ defmodule Mobilizon.Discussions do
  @doc """
  Callback for Absinthe Ecto Dataloader
  """
+  # sobelow_skip ["SQL.Query"]
  @spec data :: Dataloader.Ecto.t()
  def data do
    Dataloader.Ecto.new(Repo, query: &query/2)
--- a/lib/mobilizon/resources/resources.ex
+++ b/lib/mobilizon/resources/resources.ex
@ -185,6 +185,7 @@ defmodule Mobilizon.Resources do
    end)
  end

+  # sobelow_skip ["SQL.Query"]
  @spec update_children(Multi.t(), Resource.t(), map()) :: Multi.t()
  defp update_children(
         %Multi{} = multi,
--- a/lib/web/auth/error_handler.ex
+++ b/lib/web/auth/error_handler.ex
@ -4,6 +4,7 @@ defmodule Mobilizon.Web.Auth.ErrorHandler do
  """
  import Plug.Conn

+  # sobelow_skip ["XSS.SendResp"]
  def auth_error(conn, {type, _reason}, _opts) do
    body = Jason.encode!(%{message: to_string(type)})
    send_resp(conn, 401, body)
--- a/lib/web/proxy/reverse_proxy.ex
+++ b/lib/web/proxy/reverse_proxy.ex
@ -145,6 +145,7 @@ defmodule Mobilizon.Web.ReverseProxy do
    end
  end

+  # sobelow_skip ["XSS.SendResp"]
  def call(conn, _, _) do
    conn
    |> send_resp(400, Conn.Status.reason_phrase(400))
@ -223,6 +224,7 @@ defmodule Mobilizon.Web.ReverseProxy do
    |> send_resp(code, "")
  end

+  # sobelow_skip ["XSS.SendResp"]
  defp error_or_redirect(conn, url, code, body, opts) do
    if Keyword.get(opts, :redirect_on_failure, false) do
      conn
--- a/lib/web/router.ex
+++ b/lib/web/router.ex
@ -163,8 +163,8 @@ defmodule Mobilizon.Web.Router do
    get("/interact", PageController, :interact)

    get("/auth/:provider", AuthController, :request)
-    # sobelow_skip ["Config.CSRFRoute"]
-    # Possibly related to https://github.com/ueberauth/ueberauth/issues/125
+    # Have a look at https://github.com/ueberauth/ueberauth/issues/125 some day
+    # Also possible CSRF issue
    get("/auth/:provider/callback", AuthController, :callback)
    post("/auth/:provider/callback", AuthController, :callback)
  end
--- a/lib/web/views/utils.ex
+++ b/lib/web/views/utils.ex
@ -5,6 +5,7 @@ defmodule Mobilizon.Web.Views.Utils do

  alias Mobilizon.Service.Metadata.Utils, as: MetadataUtils

+  # sobelow_skip ["Traversal.FileModule"]
  @spec inject_tags(Enum.t(), String.t()) :: {:safe, String.t()}
  def inject_tags(tags, locale \\ "en") do
    with {:ok, index_content} <- File.read(index_file_path()) do