From d7887c7f4bd9a8e531c5e5c098dbeb9e4a7a741f Mon Sep 17 00:00:00 2001 From: btmo Date: Mon, 13 May 2024 11:58:59 +0200 Subject: [PATCH] ignore runtime config in hsts check --- lib/sobelow/config/hsts.ex | 11 +++++++---- test/config/hsts_test.exs | 27 +++++++++++++++++++++++++++ test/fixtures/hsts/missing_prod.exs | 4 ++++ test/fixtures/hsts/present_prod.exs | 5 +++++ test/fixtures/hsts/runtime.exs | 4 ++++ 5 files changed, 47 insertions(+), 4 deletions(-) create mode 100644 test/config/hsts_test.exs create mode 100644 test/fixtures/hsts/missing_prod.exs create mode 100644 test/fixtures/hsts/present_prod.exs create mode 100644 test/fixtures/hsts/runtime.exs diff --git a/lib/sobelow/config/hsts.ex b/lib/sobelow/config/hsts.ex index 103c4ba..4081e07 100644 --- a/lib/sobelow/config/hsts.ex +++ b/lib/sobelow/config/hsts.ex @@ -14,20 +14,23 @@ defmodule Sobelow.Config.HSTS do @uid 8 @finding_type "Config.HSTS: HSTS Not Enabled" + @ignored_files ["runtime.exs"] use Sobelow.Finding def run(dir_path, configs) do Enum.each(configs, fn conf -> - path = dir_path <> conf + unless Enum.member?(@ignored_files, conf) do + path = dir_path <> conf - Config.get_configs_by_file(:https, path) - |> handle_https(path) + Config.get_configs_by_file(:https, path) + |> handle_https(path) + end end) end defp handle_https(opts, file) do - # If HTTPS configs were found in any config file and there + # If HTTPS configs were found in any compile-time config file and there # are no accompanying HSTS configs, add an HSTS finding. if length(opts) > 0 && Enum.empty?(Config.get_configs(:force_ssl, file)) do add_finding(file) diff --git a/test/config/hsts_test.exs b/test/config/hsts_test.exs new file mode 100644 index 0000000..97f36e8 --- /dev/null +++ b/test/config/hsts_test.exs @@ -0,0 +1,27 @@ +defmodule SobelowTest.Config.HstsTest do + use ExUnit.Case + alias Sobelow.Config.HSTS + + setup do + Application.put_env(:sobelow, :format, "json") + Sobelow.Fingerprint.start_link() + Sobelow.FindingLog.start_link() + + :ok + end + + test "complains when force_ssl is missing in prod.exs" do + HSTS.run("./test/fixtures/hsts/", ["missing_prod.exs"]) + assert Sobelow.FindingLog.json("1") =~ "Config.HSTS: HSTS Not Enabled" + end + + test "does not complain when force_ssl is present in prod.exs" do + HSTS.run("./test/fixtures/hsts/", ["present_prod.exs"]) + refute Sobelow.FindingLog.json("1") =~ "Config.HSTS: HSTS Not Enabled" + end + + test "does not complain when force_ssl is missing in runtime.exs" do + HSTS.run("./test/fixtures/hsts/", ["runtime.exs"]) + refute Sobelow.FindingLog.json("1") =~ "Config.HSTS: HSTS Not Enabled" + end +end diff --git a/test/fixtures/hsts/missing_prod.exs b/test/fixtures/hsts/missing_prod.exs new file mode 100644 index 0000000..b4f7f7d --- /dev/null +++ b/test/fixtures/hsts/missing_prod.exs @@ -0,0 +1,4 @@ +use Config + +config :phoenix_app, + https: [] diff --git a/test/fixtures/hsts/present_prod.exs b/test/fixtures/hsts/present_prod.exs new file mode 100644 index 0000000..1febf5d --- /dev/null +++ b/test/fixtures/hsts/present_prod.exs @@ -0,0 +1,5 @@ +use Config + +config :phoenix_app, + https: [], + force_ssl: [hsts: true] diff --git a/test/fixtures/hsts/runtime.exs b/test/fixtures/hsts/runtime.exs new file mode 100644 index 0000000..b4f7f7d --- /dev/null +++ b/test/fixtures/hsts/runtime.exs @@ -0,0 +1,4 @@ +use Config + +config :phoenix_app, + https: []