set up sobelow for backend

2019-07-17 16:16:25 +00:00 · 2019-07-17 16:16:25 +00:00 · 4a87c49baf
parent da40e52ba5
commit 4a87c49baf
10 changed files with 57 additions and 6 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,10 +1,11 @@
 *.csv
 .idea/
 *.gexf
-backend/whitelist.txt
 data/
 .vscode/

+backend/.sobelow
+
 # Environments
 .env
 .env*
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -16,8 +16,31 @@ test-frontend:
  only:
    changes:
      - frontend/*
+
+backend-sobelow:
+  stage: test
+  image: elixir:1.9
+  only:
+    changes:
+      - backend/*
+  before_script:
+    - cd backend
+  script:
+    - mix local.hex --force
+    - mix local.rebar --force
+    - mix deps.get
+    - mix deps.compile
+    - mix sobelow --config
+  cache:
+    paths:
+      - backend/deps/
+      - backend/_build/
+
 deploy-backend-develop:
  stage: deploy
+  environment:
+    name: develop
+    url: https://phoenix.api-develop.fediverse.space
  image: ilyasemenov/gitlab-ci-git-push
  only:
    refs:
@ -26,9 +49,12 @@ deploy-backend-develop:
      - backend/*
  script:
    - git-push ssh://dokku@api-develop.fediverse.space:phoenix
+
 deploy-gephi-develop:
  stage: deploy
  image: ilyasemenov/gitlab-ci-git-push
+  environment:
+    name: develop
  only:
    refs:
      - develop
--- a/backend/.sobelow-conf
+++ b/backend/.sobelow-conf
@ -0,0 +1,12 @@
+[
+  verbose: false,
+  private: false,
+  skip: true,
+  router: "",
+  exit: "false",
+  format: "txt",
+  out: "",
+  threshold: "low",
+  ignore: ["Config.HTTPS"],
+  ignore_files: [""]
+]
--- a/backend/README.md
+++ b/backend/README.md
@ -4,6 +4,7 @@

 - This project requires Elixir >= 1.9.
 - Run with `SKIP_CRAWL=true` to just run the server (useful for working on the API without also crawling)
+- This project is automatically scanned for potential vulnerabilities with [Sobelow](https://sobelow.io/).

 ## Deployment

--- a/backend/lib/backend/crawler/crawlers/mastodon.ex
+++ b/backend/lib/backend/crawler/crawlers/mastodon.ex
@ -15,6 +15,7 @@ defmodule Backend.Crawler.Crawlers.Mastodon do
  end

  @impl ApiCrawler
+  # sobelow_skip ["DOS.StringToAtom"]
  def crawl(domain) do
    instance = Jason.decode!(get!("https://#{domain}/api/v1/instance").body)

@ -33,6 +34,7 @@ defmodule Backend.Crawler.Crawlers.Mastodon do
  end

  @spec crawl_large_instance(String.t(), any()) :: ApiCrawler.t()
+  # sobelow_skip ["DOS.StringToAtom"]
  defp crawl_large_instance(domain, instance) do
    # servers may not publish peers
    peers =
--- a/backend/mix.exs
+++ b/backend/mix.exs
@ -45,7 +45,8 @@ defmodule Backend.MixProject do
      {:timex, "~> 3.5"},
      {:honeydew, "~> 1.4.3"},
      {:quantum, "~> 2.3"},
-      {:corsica, "~> 1.1.2"}
+      {:corsica, "~> 1.1.2"},
+      {:sobelow, "~> 0.8", only: :dev}
    ]
  end

--- a/backend/mix.lock
+++ b/backend/mix.lock
@ -34,6 +34,7 @@
  "postgrex": {:hex, :postgrex, "0.14.3", "5754dee2fdf6e9e508cbf49ab138df964278700b764177e8f3871e658b345a1e", [:mix], [{:connection, "~> 1.0", [hex: :connection, repo: "hexpm", optional: false]}, {:db_connection, "~> 2.0", [hex: :db_connection, repo: "hexpm", optional: false]}, {:decimal, "~> 1.5", [hex: :decimal, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}], "hexpm"},
  "quantum": {:hex, :quantum, "2.3.4", "72a0e8855e2adc101459eac8454787cb74ab4169de6ca50f670e72142d4960e9", [:mix], [{:calendar, "~> 0.17", [hex: :calendar, repo: "hexpm", optional: true]}, {:crontab, "~> 1.1", [hex: :crontab, repo: "hexpm", optional: false]}, {:gen_stage, "~> 0.12", [hex: :gen_stage, repo: "hexpm", optional: false]}, {:swarm, "~> 3.3", [hex: :swarm, repo: "hexpm", optional: false]}, {:timex, "~> 3.1", [hex: :timex, repo: "hexpm", optional: true]}], "hexpm"},
  "ranch": {:hex, :ranch, "1.7.1", "6b1fab51b49196860b733a49c07604465a47bdb78aa10c1c16a3d199f7f8c881", [:rebar3], [], "hexpm"},
+  "sobelow": {:hex, :sobelow, "0.8.0", "a3ec73e546dfde19f14818e5000c418e3f305d9edb070e79dd391de0ae1cd1ea", [:mix], [], "hexpm"},
  "ssl_verify_fun": {:hex, :ssl_verify_fun, "1.1.4", "f0eafff810d2041e93f915ef59899c923f4568f4585904d010387ed74988e77b", [:make, :mix, :rebar3], [], "hexpm"},
  "swarm": {:hex, :swarm, "3.4.0", "64f8b30055d74640d2186c66354b33b999438692a91be275bb89cdc7e401f448", [:mix], [{:gen_state_machine, "~> 2.0", [hex: :gen_state_machine, repo: "hexpm", optional: false]}, {:libring, "~> 1.0", [hex: :libring, repo: "hexpm", optional: false]}], "hexpm"},
  "telemetry": {:hex, :telemetry, "0.4.0", "8339bee3fa8b91cb84d14c2935f8ecf399ccd87301ad6da6b71c09553834b2ab", [:rebar3], [], "hexpm"},
--- a/frontend/package.json
+++ b/frontend/package.json
@ -67,6 +67,7 @@
    "husky": "^3.0.0",
    "lint-staged": "^9.2.0",
    "tslint": "^5.18.0",
+    "tslint-config-security": "^1.16.0",
    "tslint-eslint-rules": "^5.4.0",
    "typescript": "^3.5.3"
  },
--- a/frontend/tslint.json
+++ b/frontend/tslint.json
@ -4,9 +4,8 @@
    "tslint-eslint-rules",
    "tslint-react",
    "@blueprintjs/tslint-config/blueprint-rules",
-    "tslint-config-prettier"
+    "tslint-config-prettier",
+    "tslint-config-security"
  ],
-  "exclude": [
-    "**/*.css"
-  ]
+  "exclude": ["**/*.css"]
 }
--- a/frontend/yarn.lock
+++ b/frontend/yarn.lock
@ -10449,6 +10449,13 @@ tslint-config-prettier@^1.17.0:
  resolved "https://registry.yarnpkg.com/tslint-config-prettier/-/tslint-config-prettier-1.18.0.tgz#75f140bde947d35d8f0d238e0ebf809d64592c37"
  integrity sha512-xPw9PgNPLG3iKRxmK7DWr+Ea/SzrvfHtjFt5LBl61gk2UBG/DB9kCXRjv+xyIU1rUtnayLeMUVJBcMX8Z17nDg==

+tslint-config-security@^1.16.0:
+  version "1.16.0"
+  resolved "https://registry.yarnpkg.com/tslint-config-security/-/tslint-config-security-1.16.0.tgz#a561fdf1fccc3986f78c2a12f1c1f5e0b50f6476"
+  integrity sha512-wwM+COg4FX1Gl6VnvaTV9zqcUY6cs4XkiP6T3qhc6s20Xy4J9irui6+fkP07yVkrwfcNFneji3YcIwiMvKSQPQ==
+  dependencies:
+    safe-regex "^1.1.0"
+
 tslint-eslint-rules@^5.4.0:
  version "5.4.0"
  resolved "https://registry.yarnpkg.com/tslint-eslint-rules/-/tslint-eslint-rules-5.4.0.tgz#e488cc9181bf193fe5cd7bfca213a7695f1737b5"