set up sobelow for backend

.gitignore

@@ -1,10 +1,11 @@
 *.csv
 .idea/
 *.gexf
-backend/whitelist.txt
 data/
 .vscode/
 
+backend/.sobelow
+
 # Environments
 .env
 .env*

.gitlab-ci.yml

@@ -16,8 +16,31 @@ test-frontend:
   only:
     changes:
       - frontend/*
+
+backend-sobelow:
+  stage: test
+  image: elixir:1.9
+  only:
+    changes:
+      - backend/*
+  before_script:
+    - cd backend
+  script:
+    - mix local.hex --force
+    - mix local.rebar --force
+    - mix deps.get
+    - mix deps.compile
+    - mix sobelow --config
+  cache:
+    paths:
+      - backend/deps/
+      - backend/_build/
+
 deploy-backend-develop:
   stage: deploy
+  environment:
+    name: develop
+    url: https://phoenix.api-develop.fediverse.space
   image: ilyasemenov/gitlab-ci-git-push
   only:
     refs:
@@ -26,9 +49,12 @@ deploy-backend-develop:
       - backend/*
   script:
     - git-push ssh://dokku@api-develop.fediverse.space:phoenix
+
 deploy-gephi-develop:
   stage: deploy
   image: ilyasemenov/gitlab-ci-git-push
+  environment:
+    name: develop
   only:
     refs:
       - develop

backend/.sobelow-conf

@@ -0,0 +1,12 @@
+[
+  verbose: false,
+  private: false,
+  skip: true,
+  router: "",
+  exit: "false",
+  format: "txt",
+  out: "",
+  threshold: "low",
+  ignore: ["Config.HTTPS"],
+  ignore_files: [""]
+]

backend/README.md

@@ -4,6 +4,7 @@
 
 - This project requires Elixir >= 1.9.
 - Run with `SKIP_CRAWL=true` to just run the server (useful for working on the API without also crawling)
+- This project is automatically scanned for potential vulnerabilities with [Sobelow](https://sobelow.io/).
 
 ## Deployment
 

backend/lib/backend/crawler/crawlers/mastodon.ex

@@ -15,6 +15,7 @@ defmodule Backend.Crawler.Crawlers.Mastodon do
   end
 
   @impl ApiCrawler
+  # sobelow_skip ["DOS.StringToAtom"]
   def crawl(domain) do
     instance = Jason.decode!(get!("https://#{domain}/api/v1/instance").body)
 
@@ -33,6 +34,7 @@ defmodule Backend.Crawler.Crawlers.Mastodon do
   end
 
   @spec crawl_large_instance(String.t(), any()) :: ApiCrawler.t()
+  # sobelow_skip ["DOS.StringToAtom"]
   defp crawl_large_instance(domain, instance) do
     # servers may not publish peers
     peers =

backend/mix.exs

@@ -45,7 +45,8 @@ defmodule Backend.MixProject do
       {:timex, "~> 3.5"},
       {:honeydew, "~> 1.4.3"},
       {:quantum, "~> 2.3"},
-      {:corsica, "~> 1.1.2"}
+      {:corsica, "~> 1.1.2"},
+      {:sobelow, "~> 0.8", only: :dev}
     ]
   end
 

backend/mix.lock

@@ -34,6 +34,7 @@
   "postgrex": {:hex, :postgrex, "0.14.3", "5754dee2fdf6e9e508cbf49ab138df964278700b764177e8f3871e658b345a1e", [:mix], [{:connection, "~> 1.0", [hex: :connection, repo: "hexpm", optional: false]}, {:db_connection, "~> 2.0", [hex: :db_connection, repo: "hexpm", optional: false]}, {:decimal, "~> 1.5", [hex: :decimal, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}], "hexpm"},
   "quantum": {:hex, :quantum, "2.3.4", "72a0e8855e2adc101459eac8454787cb74ab4169de6ca50f670e72142d4960e9", [:mix], [{:calendar, "~> 0.17", [hex: :calendar, repo: "hexpm", optional: true]}, {:crontab, "~> 1.1", [hex: :crontab, repo: "hexpm", optional: false]}, {:gen_stage, "~> 0.12", [hex: :gen_stage, repo: "hexpm", optional: false]}, {:swarm, "~> 3.3", [hex: :swarm, repo: "hexpm", optional: false]}, {:timex, "~> 3.1", [hex: :timex, repo: "hexpm", optional: true]}], "hexpm"},
   "ranch": {:hex, :ranch, "1.7.1", "6b1fab51b49196860b733a49c07604465a47bdb78aa10c1c16a3d199f7f8c881", [:rebar3], [], "hexpm"},
+  "sobelow": {:hex, :sobelow, "0.8.0", "a3ec73e546dfde19f14818e5000c418e3f305d9edb070e79dd391de0ae1cd1ea", [:mix], [], "hexpm"},
   "ssl_verify_fun": {:hex, :ssl_verify_fun, "1.1.4", "f0eafff810d2041e93f915ef59899c923f4568f4585904d010387ed74988e77b", [:make, :mix, :rebar3], [], "hexpm"},
   "swarm": {:hex, :swarm, "3.4.0", "64f8b30055d74640d2186c66354b33b999438692a91be275bb89cdc7e401f448", [:mix], [{:gen_state_machine, "~> 2.0", [hex: :gen_state_machine, repo: "hexpm", optional: false]}, {:libring, "~> 1.0", [hex: :libring, repo: "hexpm", optional: false]}], "hexpm"},
   "telemetry": {:hex, :telemetry, "0.4.0", "8339bee3fa8b91cb84d14c2935f8ecf399ccd87301ad6da6b71c09553834b2ab", [:rebar3], [], "hexpm"},

frontend/package.json

@@ -67,6 +67,7 @@
     "husky": "^3.0.0",
     "lint-staged": "^9.2.0",
     "tslint": "^5.18.0",
+    "tslint-config-security": "^1.16.0",
     "tslint-eslint-rules": "^5.4.0",
     "typescript": "^3.5.3"
   },

frontend/tslint.json

@@ -4,9 +4,8 @@
     "tslint-eslint-rules",
     "tslint-react",
     "@blueprintjs/tslint-config/blueprint-rules",
-    "tslint-config-prettier"
+    "tslint-config-prettier",
+    "tslint-config-security"
   ],
-  "exclude": [
+  "exclude": ["**/*.css"]
-    "**/*.css"
-  ]
 }

frontend/yarn.lock

@@ -10449,6 +10449,13 @@ tslint-config-prettier@^1.17.0:
   resolved "https://registry.yarnpkg.com/tslint-config-prettier/-/tslint-config-prettier-1.18.0.tgz#75f140bde947d35d8f0d238e0ebf809d64592c37"
   integrity sha512-xPw9PgNPLG3iKRxmK7DWr+Ea/SzrvfHtjFt5LBl61gk2UBG/DB9kCXRjv+xyIU1rUtnayLeMUVJBcMX8Z17nDg==
 
+tslint-config-security@^1.16.0:
+  version "1.16.0"
+  resolved "https://registry.yarnpkg.com/tslint-config-security/-/tslint-config-security-1.16.0.tgz#a561fdf1fccc3986f78c2a12f1c1f5e0b50f6476"
+  integrity sha512-wwM+COg4FX1Gl6VnvaTV9zqcUY6cs4XkiP6T3qhc6s20Xy4J9irui6+fkP07yVkrwfcNFneji3YcIwiMvKSQPQ==
+  dependencies:
+    safe-regex "^1.1.0"
+
 tslint-eslint-rules@^5.4.0:
   version "5.4.0"
   resolved "https://registry.yarnpkg.com/tslint-eslint-rules/-/tslint-eslint-rules-5.4.0.tgz#e488cc9181bf193fe5cd7bfca213a7695f1737b5"