nccgroup/sobelow

Support detecting for Wildcard check_origin Vulnerability

Open

#117 opened on Jan 10, 2023

View on GitHub
 (0 comments) (0 reactions) (0 assignees)Elixir (1,780 stars) (119 forks)batch import
featuregood first issue

Description

We should create a new detection for the vulnerability that was patched in the Phoenix 1.3.5, 1.4.18, 1.5.14, and 1.6.14 releases - this could be done somewhat similarly to how Vuln.Ecto works with some conditional logic for checking if wildcard origin is present.

https://elixirforum.com/t/phoenix-1-3-1-4-1-5-and-1-6-security-releases-for-wildcard-check-origin-vulnerability/50902

Contributor guide

Tech stack
elixir
Domain
security
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
ElixirPhoenixstatic analysis
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
The new detection should follow patterns from existing modules like Vuln.Ecto (lib/vuln ecto.ex). The wildcard check origin vulnerability was documented in the referenced forum post: https://elixirforum.com/t/phoenix 1-3-1-4-1-5 and 1-6 security releases for wildcard check origin vulnerability/50902. Implement conditional logic to detect presence of wildcard origin in configuration files.