Merge pull request #10 from change/barrie/CHANGE-47963-add-sobelow

CHANGE-47963 - add sobelow and review the vulnerabilities
change · Feb 6, 2020 · e699c12 · e699c12
2 parents 41e8adf + 9a2d984
commit e699c12
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,12 @@
 erl_crash.dump
 *.ez
 .tmux.rb
+
+# OSX's favorite useless file
+.DS_Store
+
+# VS Code plugin
+/.elixir_ls/
+
+# Generated sobelow file
+.sobelow
diff --git a/.sobelow-conf b/.sobelow-conf
@@ -0,0 +1,12 @@
+[
+  verbose: false,
+  private: false,
+  skip: true,
+  router: "",
+  exit: "false",
+  format: "txt",
+  out: "",
+  threshold: "low",
+  ignore: ["Config.CSRF", "Config.HTTPS"],
+  ignore_files: [""]
+]
diff --git a/lib/linguist/compiler.ex b/lib/linguist/compiler.ex
@@ -103,6 +103,7 @@ defmodule Linguist.Compiler do
     end
   end
 
+  # sobelow_skip ["DOS.StringToAtom"]
   defp interpolate(string, var) do
     @interpol_rgx
     |> Regex.split(string, on: [:head, :tail])

diff --git a/lib/linguist/memorized_vocabulary.ex b/lib/linguist/memorized_vocabulary.ex
@@ -62,6 +62,7 @@ defmodule Linguist.MemorizedVocabulary do
     end
   end
 
+  # sobelow_skip ["DOS.StringToAtom"]
   defp do_t(locale, translation_key, bindings) do
     case :ets.lookup(:translations_registry, "#{locale}.#{translation_key}") do
       [] -> {:error, :no_translation}

diff --git a/lib/linguist/vocabulary.ex b/lib/linguist/vocabulary.ex
@@ -96,9 +96,12 @@ defmodule Linguist.Vocabulary do
   Recursive function used internally for loading yaml files.
   Not intended for external use
   """
+  # sobelow_skip ["DOS.StringToAtom"]
   def _yaml_reducer({key, value}, acc) when is_binary(value) do
     [{String.to_atom(key), value} | acc]
   end
+
+  # sobelow_skip ["DOS.StringToAtom"]
   def _yaml_reducer({key, value}, acc) do
     [{String.to_atom(key), Enum.reduce(value, [], &Linguist.Vocabulary._yaml_reducer/2)} | acc]
   end

diff --git a/mix.exs b/mix.exs
@@ -30,7 +30,8 @@ defmodule Linguist.Mixfile do
       {:ex_cldr, "~> 1.6.0"},
       {:jason, "~> 1.0"},
       {:yaml_elixir, "~> 2.0"},
-      {:credo, "~> 0.9.0", only: [:dev, :test], runtime: false}
+      {:credo, "~> 0.9.0", only: [:dev, :test], runtime: false},
+      {:sobelow, "~> 0.10", only: :dev, runtime: false}
     ]
   end
 end
diff --git a/mix.lock b/mix.lock
@@ -6,6 +6,7 @@
   "ex_cldr": {:hex, :ex_cldr, "1.6.4", "28b0aebdc38bb04414fce24679365a9355d1fce3ca731c7273d34927c6bdb8ce", [:mix], [{:abnf2, "~> 0.1", [hex: :abnf2, repo: "hexpm", optional: false]}, {:decimal, "~> 1.4", [hex: :decimal, repo: "hexpm", optional: false]}, {:gettext, "~> 0.13", [hex: :gettext, repo: "hexpm", optional: true]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:phoenix, "~> 1.3", [hex: :phoenix, repo: "hexpm", optional: true]}, {:plug, "~> 1.4", [hex: :plug, repo: "hexpm", optional: true]}, {:poison, "~> 2.1 or ~> 3.0", [hex: :poison, repo: "hexpm", optional: true]}, {:sweet_xml, "~> 0.6", [hex: :sweet_xml, repo: "hexpm", optional: true]}], "hexpm"},
   "jason": {:hex, :jason, "1.0.0", "0f7cfa9bdb23fed721ec05419bcee2b2c21a77e926bce0deda029b5adc716fe2", [:mix], [{:decimal, "~> 1.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm"},
   "poison": {:hex, :poison, "3.1.0", "d9eb636610e096f86f25d9a46f35a9facac35609a7591b3be3326e99a0484665", [:mix], [], "hexpm"},
+  "sobelow": {:hex, :sobelow, "0.10.0", "2beea5387dd47ce5ead9df0562eb93b33e4b574d006ea31b8dce9e0cc775a4d6", [:mix], [], "hexpm"},
   "yamerl": {:hex, :yamerl, "0.7.0", "e51dba652dce74c20a88294130b48051ebbbb0be7d76f22de064f0f3ccf0aaf5", [:rebar3], [], "hexpm"},
   "yaml_elixir": {:hex, :yaml_elixir, "2.0.0", "5d7c40e039b076c0da1921b2754d4a91bc435ac4434bef633f5506dbafd6b8f2", [:mix], [{:yamerl, "~> 0.5", [hex: :yamerl, repo: "hexpm", optional: false]}], "hexpm"},
   "yomel": {:hex, :yomel, "0.5.0", "c5a42d1818deda3f85ae14b1f01f6ece22b9ed8e8087012359fc04b59d85f621", [:make, :mix], [], "hexpm"},