nccgroup · houllette · Feb 14, 2024 · Feb 12, 2024 · Feb 12, 2024 · Feb 12, 2024
diff --git a/.github/workflows/elixir.yml b/.github/workflows/elixir.yml
@@ -35,6 +35,8 @@ jobs:
             otp: 25.1
           - elixir: '1.15.x'
             otp: 26.0
+          - elixir: '1.16.x'
+            otp: 26.2
 
     steps:
     - name: Setup Elixir
@@ -56,11 +58,11 @@ jobs:
       run: mix hex.audit
 
     - name: Check Formatting
-      if: ${{ matrix.elixir == '1.15.x' }} # we only care about formatting for latest version of Elixir
+      if: ${{ matrix.elixir == '1.16.x' }} # we only care about formatting for latest version of Elixir
       run: mix format --check-formatted
 
     - name: Compiles w/o Warnings
-      if: ${{ matrix.elixir == '1.15.x' }} # we only care about warnings for latest version of Elixir
+      if: ${{ matrix.elixir == '1.16.x' }} # we only care about warnings for latest version of Elixir
       run: mix compile --warnings-as-errors
 
     - name: Credo

diff --git a/lib/sobelow.ex b/lib/sobelow.ex
@@ -324,10 +324,10 @@ defmodule Sobelow do
     phoenix_files =
       Enum.reduce(meta_files, %{routers: [], endpoints: []}, fn meta_file, acc ->
         cond do
-          meta_file.is_router? ->
+          meta_file.router? ->
             Map.update!(acc, :routers, &[meta_file.file_path | &1])
 
-          meta_file.is_endpoint? ->
+          meta_file.endpoint? ->
             Map.update!(acc, :endpoints, &[meta_file.file_path | &1])
 
           true ->
@@ -351,7 +351,7 @@ defmodule Sobelow do
     ignored_files = get_env(:ignored_files)
 
     Utils.template_files(root)
-    |> Enum.reject(&is_ignored_file(&1, ignored_files))
+    |> Enum.reject(&ignored_file?(&1, ignored_files))
     |> Enum.map(&get_template_meta/1)
     |> Map.new()
   end
@@ -368,7 +368,7 @@ defmodule Sobelow do
         filename: filename,
         raw: raw,
         ast: [ast],
-        is_controller?: false
+        controller?: false
       }
     }
   end
@@ -377,7 +377,7 @@ defmodule Sobelow do
     ignored_files = get_env(:ignored_files)
 
     Utils.all_files(root)
-    |> Enum.reject(&is_ignored_file(&1, ignored_files))
+    |> Enum.reject(&ignored_file?(&1, ignored_files))
     |> Enum.map(&get_file_meta/1)
   end
 
@@ -391,9 +391,9 @@ defmodule Sobelow do
       filename: Utils.normalize_path(filename),
       file_path: Path.expand(filename),
       def_funs: def_funs,
-      is_controller?: Utils.is_controller?(use_funs),
-      is_router?: Utils.is_router?(use_funs),
-      is_endpoint?: Utils.is_endpoint?(use_funs)
+      controller?: Utils.controller?(use_funs),
+      router?: Utils.router?(use_funs),
+      is_endpoint?: Utils.endpoint?(use_funs)
     }
   end
 
@@ -656,15 +656,15 @@ defmodule Sobelow do
     |> Enum.map(&get_mod/1)
   end
 
-  def is_vuln?({vars, _, _}) do
+  def vuln?({vars, _, _}) do
     if Enum.empty?(vars) do
       false
     else
       true
     end
   end
 
-  defp is_ignored_file(filename, ignored_files) do
+  defp ignored_file?(filename, ignored_files) do
     Enum.any?(ignored_files, fn ignored_file ->
       String.ends_with?(ignored_file, filename)
     end)

diff --git a/lib/sobelow/ci/os.ex b/lib/sobelow/ci/os.ex
@@ -17,7 +17,7 @@ defmodule Sobelow.CI.OS do
   use Sobelow.Finding
 
   def run(fun, meta_file) do
-    confidence = if !meta_file.is_controller?, do: :low
+    confidence = if !meta_file.controller?, do: :low
 
     Finding.init(@finding_type, meta_file.filename, confidence)
     |> Finding.multi_from_def(fun, parse_def(fun))

diff --git a/lib/sobelow/ci/system.ex b/lib/sobelow/ci/system.ex
@@ -17,7 +17,7 @@ defmodule Sobelow.CI.System do
   use Sobelow.Finding
 
   def run(fun, meta_file) do
-    confidence = if !meta_file.is_controller?, do: :low
+    confidence = if !meta_file.controller?, do: :low
 
     Finding.init(@finding_type, meta_file.filename, confidence)
     |> Finding.multi_from_def(fun, parse_def(fun))

diff --git a/lib/sobelow/config.ex b/lib/sobelow/config.ex
@@ -120,17 +120,17 @@ defmodule Sobelow.Config do
     |> Enum.reject(fn {type, _, _} -> type !== :plug end)
   end
 
-  def is_vuln_pipeline?({:pipeline, _, [_name, [do: block]]}, :csrf) do
+  def vuln_pipeline?({:pipeline, _, [_name, [do: block]]}, :csrf) do
     plugs = get_plug_list(block)
-    has_csrf? = Enum.any?(plugs, &is_plug?(&1, :protect_from_forgery))
-    has_session? = Enum.any?(plugs, &is_plug?(&1, :fetch_session))
+    has_csrf? = Enum.any?(plugs, &plug?(&1, :protect_from_forgery))
+    has_session? = Enum.any?(plugs, &plug?(&1, :fetch_session))
 
     has_session? and not has_csrf?
   end
 
-  def is_vuln_pipeline?({:pipeline, _, [_name, [do: block]]}, :headers) do
+  def vuln_pipeline?({:pipeline, _, [_name, [do: block]]}, :headers) do
     plugs = get_plug_list(block)
-    has_headers? = Enum.any?(plugs, &is_plug?(&1, :put_secure_browser_headers))
+    has_headers? = Enum.any?(plugs, &plug?(&1, :put_secure_browser_headers))
     accepts = Enum.find_value(plugs, &get_plug_accepts/1)
 
     !has_headers? && is_list(accepts) && Enum.member?(accepts, "html")
@@ -142,9 +142,9 @@ defmodule Sobelow.Config do
 
   def parse_accepts([{:<<>>, _, [accepts | _]}, []]), do: String.split(accepts, " ")
 
-  def is_plug?({:plug, _, [type]}, type), do: true
-  def is_plug?({:plug, _, [type, _]}, type), do: true
-  def is_plug?(_, _), do: false
+  def plug?({:plug, _, [type]}, type), do: true
+  def plug?({:plug, _, [type, _]}, type), do: true
+  def plug?(_, _), do: false
 
   def get_fuzzy_configs(key, filepath) do
     ast = Parse.ast(filepath)

diff --git a/lib/sobelow/config/csp.ex b/lib/sobelow/config/csp.ex
@@ -46,15 +46,15 @@ defmodule Sobelow.Config.CSP do
   def check_vuln_pipeline({:pipeline, _, [_name, [do: block]]} = pipeline, meta_file) do
     {vuln?, conf, plug} =
       Config.get_plug_list(block)
-      |> Enum.find(&is_header_plug?/1)
+      |> Enum.find(&header_plug?/1)
       |> missing_csp_status(meta_file)
 
     {vuln?, conf, plug, pipeline}
   end
 
-  defp is_header_plug?({:plug, _, [:put_secure_browser_headers]}), do: true
-  defp is_header_plug?({:plug, _, [:put_secure_browser_headers, _]}), do: true
-  defp is_header_plug?(_), do: false
+  defp header_plug?({:plug, _, [:put_secure_browser_headers]}), do: true
+  defp header_plug?({:plug, _, [:put_secure_browser_headers, _]}), do: true
+  defp header_plug?(_), do: false
 
   defp missing_csp_status({_, _, [:put_secure_browser_headers]} = plug, _),
     do: {true, :high, plug}

diff --git a/lib/sobelow/config/csrf.ex b/lib/sobelow/config/csrf.ex
@@ -28,12 +28,12 @@ defmodule Sobelow.Config.CSRF do
     finding = Finding.init(@finding_type, Utils.normalize_path(router))
 
     Config.get_pipelines(router)
-    |> Stream.filter(&is_vuln_pipeline?/1)
+    |> Stream.filter(&vuln_pipeline?/1)
     |> Enum.each(&add_finding(&1, finding))
   end
 
-  defp is_vuln_pipeline?(pipeline) do
-    Config.is_vuln_pipeline?(pipeline, :csrf)
+  defp vuln_pipeline?(pipeline) do
+    Config.vuln_pipeline?(pipeline, :csrf)
   end
 
   defp add_finding({:pipeline, _, [pipeline_name, _]} = pipeline, finding) do

diff --git a/lib/sobelow/config/headers.ex b/lib/sobelow/config/headers.ex
@@ -26,12 +26,12 @@ defmodule Sobelow.Config.Headers do
     finding = Finding.init(@finding_type, Utils.normalize_path(router))
 
     Config.get_pipelines(router)
-    |> Stream.filter(&is_vuln_pipeline?/1)
+    |> Stream.filter(&vuln_pipeline?/1)
     |> Enum.each(&add_finding(&1, finding))
   end
 
-  defp is_vuln_pipeline?(pipeline) do
-    Config.is_vuln_pipeline?(pipeline, :headers)
+  defp vuln_pipeline?(pipeline) do
+    Config.vuln_pipeline?(pipeline, :headers)
   end
 
   defp add_finding({:pipeline, _, [pipeline_name, _]} = pipeline, finding) do

diff --git a/lib/sobelow/config/secrets.ex b/lib/sobelow/config/secrets.ex
@@ -40,7 +40,7 @@ defmodule Sobelow.Config.Secrets do
 
   defp enumerate_secrets(secrets, file) do
     Enum.each(secrets, fn {fun, key, val} ->
-      if is_binary(val) && String.length(val) > 0 && !is_env_var?(val) do
+      if is_binary(val) && String.length(val) > 0 && !env_var?(val) do
         add_finding(file, Parse.get_fun_line(fun), fun, key, val)
       end
     end)
@@ -49,18 +49,18 @@ defmodule Sobelow.Config.Secrets do
   defp enumerate_fuzzy_secrets(secrets, file) do
     Enum.each(secrets, fn {fun, vals} ->
       Enum.each(vals, fn {k, v} ->
-        if is_binary(v) && String.length(v) > 0 && !is_env_var?(v) do
+        if is_binary(v) && String.length(v) > 0 && !env_var?(v) do
           add_finding(file, Parse.get_fun_line(fun), fun, k, v)
         end
       end)
     end)
   end
 
-  def is_env_var?("${" <> rest) do
+  def env_var?("${" <> rest) do
     String.ends_with?(rest, "}")
   end
 
-  def is_env_var?(_), do: false
+  def env_var?(_), do: false
 
   defp add_finding(file, line_no, fun, key, val) do
     {vuln_line_no, vuln_line_col} = get_vuln_line(file, line_no, val)

diff --git a/lib/sobelow/dos/binary_to_atom.ex b/lib/sobelow/dos/binary_to_atom.ex
@@ -17,7 +17,7 @@ defmodule Sobelow.DOS.BinToAtom do
   use Sobelow.Finding
 
   def run(fun, meta_file) do
-    confidence = if !meta_file.is_controller?, do: :low
+    confidence = if !meta_file.controller?, do: :low
 
     Finding.init(@finding_type, meta_file.filename, confidence)
     |> Finding.multi_from_def(fun, parse_def(fun))

diff --git a/lib/sobelow/dos/list_to_atom.ex b/lib/sobelow/dos/list_to_atom.ex
@@ -17,7 +17,7 @@ defmodule Sobelow.DOS.ListToAtom do
   use Sobelow.Finding
 
   def run(fun, meta_file) do
-    confidence = if !meta_file.is_controller?, do: :low
+    confidence = if !meta_file.controller?, do: :low
 
     Finding.init(@finding_type, meta_file.filename, confidence)
     |> Finding.multi_from_def(fun, parse_def(fun))

diff --git a/lib/sobelow/dos/string_to_atom.ex b/lib/sobelow/dos/string_to_atom.ex
@@ -17,7 +17,7 @@ defmodule Sobelow.DOS.StringToAtom do
   use Sobelow.Finding
 
   def run(fun, meta_file) do
-    confidence = if !meta_file.is_controller?, do: :low
+    confidence = if !meta_file.controller?, do: :low
 
     Finding.init(@finding_type, meta_file.filename, confidence)
     |> Finding.multi_from_def(fun, parse_def(fun))

diff --git a/lib/sobelow/parse.ex b/lib/sobelow/parse.ex
@@ -681,7 +681,7 @@ defmodule Sobelow.Parse do
 
     reflected_vars =
       Enum.filter(vars, fn var ->
-        (is_reflected_var?(var) && is_in_params?(var, params)) || is_conn_params?(var)
+        (reflected_var?(var) && in_params?(var, params)) || conn_params?(var)
       end)
 
     var_keys =
@@ -705,16 +705,16 @@ defmodule Sobelow.Parse do
     end
   end
 
-  defp is_reflected_var?({_, {_, _, nil}}), do: true
-  defp is_reflected_var?(_), do: false
+  defp reflected_var?({_, {_, _, nil}}), do: true
+  defp reflected_var?(_), do: false
 
-  defp is_in_params?({_, {var, _, _}}, params) do
+  defp in_params?({_, {var, _, _}}, params) do
     Enum.member?(params, var)
   end
 
-  def is_conn_params?({_, {{:., _, [Access, :get]}, _, access_opts}}),
-    do: is_conn_params?(access_opts)
+  def conn_params?({_, {{:., _, [Access, :get]}, _, access_opts}}),
+    do: conn_params?(access_opts)
 
-  def is_conn_params?([{{:., _, [{:conn, _, nil}, :params]}, _, []}, _]), do: true
-  def is_conn_params?(_), do: false
+  def conn_params?([{{:., _, [{:conn, _, nil}, :params]}, _, []}, _]), do: true
+  def conn_params?(_), do: false
 end
diff --git a/lib/sobelow/rce/code_module.ex b/lib/sobelow/rce/code_module.ex
@@ -22,7 +22,7 @@ defmodule Sobelow.RCE.CodeModule do
   @code_funs [:eval_string, :eval_file, :eval_quoted]
 
   def run(fun, meta_file) do
-    confidence = if !meta_file.is_controller?, do: :low
+    confidence = if !meta_file.controller?, do: :low
 
     Enum.each(@code_funs, fn code_fun ->
       "RCE.CodeModule: Code Execution in `Code.#{code_fun}`"

diff --git a/lib/sobelow/rce/eex.ex b/lib/sobelow/rce/eex.ex
@@ -17,7 +17,7 @@ defmodule Sobelow.RCE.EEx do
   @eex_funs [:eval_string, :eval_file]
 
   def run(fun, meta_file) do
-    confidence = if !meta_file.is_controller?, do: :low
+    confidence = if !meta_file.controller?, do: :low
 
     Enum.each(@eex_funs, fn eex_fun ->
       "RCE.EEx: Code Execution in `EEx.#{eex_fun}`"

diff --git a/lib/sobelow/sql/query.ex b/lib/sobelow/sql/query.ex
@@ -19,7 +19,7 @@ defmodule Sobelow.SQL.Query do
   use Sobelow.Finding
 
   def run(fun, meta_file) do
-    confidence = if !meta_file.is_controller?, do: :low
+    confidence = if !meta_file.controller?, do: :low
 
     Enum.each(@query_funcs, fn query_func ->
       Finding.init(@finding_type, meta_file.filename, confidence)

diff --git a/lib/sobelow/sql/stream.ex b/lib/sobelow/sql/stream.ex
@@ -17,7 +17,7 @@ defmodule Sobelow.SQL.Stream do
   use Sobelow.Finding
 
   def run(fun, meta_file) do
-    confidence = if !meta_file.is_controller?, do: :low
+    confidence = if !meta_file.controller?, do: :low
 
     Finding.init(@finding_type, meta_file.filename, confidence)
     |> Finding.multi_from_def(fun, parse_sql_def(fun))

diff --git a/lib/sobelow/traversal/file_module.ex b/lib/sobelow/traversal/file_module.ex
@@ -40,7 +40,7 @@ defmodule Sobelow.Traversal.FileModule do
   @double_file_funcs [:cp, :copy, :cp!, :copy!, :cp_r, :cp_r!, :ln, :ln!, :ln_s, :ln_s!]
 
   def run(fun, meta_file) do
-    confidence = if !meta_file.is_controller?, do: :low
+    confidence = if !meta_file.controller?, do: :low
 
     Enum.each(@file_funcs ++ @double_file_funcs, fn file_func ->
       "Traversal.FileModule: Directory Traversal in `File.#{file_func}`"

diff --git a/lib/sobelow/traversal/send_download.ex b/lib/sobelow/traversal/send_download.ex
@@ -17,7 +17,7 @@ defmodule Sobelow.Traversal.SendDownload do
   use Sobelow.Finding
 
   def run(fun, meta_file) do
-    confidence = if !meta_file.is_controller?, do: :low
+    confidence = if !meta_file.controller?, do: :low
 
     Finding.init(@finding_type, meta_file.filename, confidence)
     |> Finding.multi_from_def(fun, parse_def(fun))

diff --git a/lib/sobelow/traversal/send_file.ex b/lib/sobelow/traversal/send_file.ex
@@ -17,7 +17,7 @@ defmodule Sobelow.Traversal.SendFile do
   use Sobelow.Finding
 
   def run(fun, meta_file) do
-    confidence = if !meta_file.is_controller?, do: :low
+    confidence = if !meta_file.controller?, do: :low
 
     Finding.init(@finding_type, meta_file.filename, confidence)
     |> Finding.multi_from_def(fun, parse_def(fun))

diff --git a/lib/sobelow/utils.ex b/lib/sobelow/utils.ex
@@ -3,17 +3,17 @@ defmodule Sobelow.Utils do
 
   alias Sobelow.Parse
 
-  def is_controller?(uses) do
+  def controller?(uses) do
     has_use_type?(uses, :controller)
   end
 
-  def is_router?(uses) do
+  def router?(uses) do
     has_use_type?(uses, :router)
   end
 
-  def is_endpoint?([{:use, _, [{_, _, [:Phoenix, :Endpoint]}, _]} | _]), do: true
-  def is_endpoint?([_ | t]), do: is_endpoint?(t)
-  def is_endpoint?(_), do: false
+  def endpoint?([{:use, _, [{_, _, [:Phoenix, :Endpoint]}, _]} | _]), do: true
+  def endpoint?([_ | t]), do: endpoint?(t)
+  def endpoint?(_), do: false
 
   def has_use_type?([{:use, _, [_, type]} | _], type), do: true
   def has_use_type?([_ | t], type), do: has_use_type?(t, type)

diff --git a/lib/sobelow/xss.ex b/lib/sobelow/xss.ex
@@ -30,7 +30,7 @@ defmodule Sobelow.XSS do
 
   def get_vulns(fun, meta_file, web_root, skip_mods \\ []) do
     controller =
-      if meta_file.is_controller? do
+      if meta_file.controller? do
         String.replace_suffix(meta_file.filename, "_controller.ex", "")
         |> Path.basename()
       end

diff --git a/lib/sobelow/xss/content_type.ex b/lib/sobelow/xss/content_type.ex
@@ -27,7 +27,7 @@ defmodule Sobelow.XSS.ContentType do
   use Sobelow.Finding
 
   def run(fun, meta_file) do
-    confidence = if !meta_file.is_controller?, do: :low
+    confidence = if !meta_file.controller?, do: :low
 
     Finding.init(@finding_type, meta_file.filename, confidence)
     |> Finding.multi_from_def(fun, parse_def(fun))