Add check for Cross-Site Websocket Hijacking

Author: GriffinMB

lib/mix/tasks/sobelow.ex

@@ -51,6 +51,7 @@ defmodule Mix.Tasks.Sobelow do
   * Config.HTTPS
   * Config.HSTS
   * Config.Secrets
+  * Config.CSWH
   * Vuln
   * Vuln.CookieRCE
   * Vuln.HeaderInject

lib/sobelow.ex

@@ -60,7 +60,10 @@ defmodule Sobelow do
     libroot_meta_files = if !phx_post_1_2?, do: get_meta_files(lib_root), else: []
 
     default_router = get_router(app_name, web_root)
-    routers = get_routers(root_meta_files ++ libroot_meta_files, default_router)
+
+    {routers, endpoints} =
+      get_phoenix_files(root_meta_files ++ libroot_meta_files, default_router)
+
     if Enum.empty?(routers), do: no_router()
 
     FindingLog.start_link()
@@ -78,7 +81,7 @@ defmodule Sobelow do
     if not (format() in ["quiet", "compact", "json"]), do: IO.puts(:stderr, print_banner())
     Application.put_env(:sobelow, :app_name, app_name)
 
-    if Enum.member?(allowed, Config), do: Config.fetch(project_root, routers)
+    if Enum.member?(allowed, Config), do: Config.fetch(project_root, routers, endpoints)
     if Enum.member?(allowed, Vuln), do: Vuln.get_vulns(project_root)
 
     allowed = allowed -- [Config, Vuln]
@@ -271,20 +274,31 @@ defmodule Sobelow do
     |> Path.expand()
   end
 
-  defp get_routers(meta_files, router) do
-    routers =
-      Enum.flat_map(meta_files, fn meta_file ->
-        case meta_file.is_router? do
-          true -> [meta_file.file_path]
-          _ -> []
+  defp get_phoenix_files(meta_files, router) do
+    phoenix_files =
+      Enum.reduce(meta_files, %{routers: [], endpoints: []}, fn meta_file, acc ->
+        cond do
+          meta_file.is_router? ->
+            Map.update!(acc, :routers, &[meta_file.file_path | &1])
+
+          meta_file.is_endpoint? ->
+            Map.update!(acc, :endpoints, &[meta_file.file_path | &1])
+
+          true ->
+            acc
         end
       end)
 
-    if File.exists?(router) do
-      Enum.uniq(routers ++ [router])
-    else
-      routers
-    end
+    uniq_phoenix_files =
+      if File.exists?(router) do
+        Map.update!(phoenix_files, :routers, fn routers ->
+          Enum.uniq(routers ++ [router])
+        end)
+      else
+        phoenix_files
+      end
+
+    {uniq_phoenix_files.routers, uniq_phoenix_files.endpoints}
   end
 
   defp get_meta_templates(root) do
@@ -332,7 +346,8 @@ defmodule Sobelow do
       file_path: Path.expand(filename),
       def_funs: def_funs,
       is_controller?: Utils.is_controller?(use_funs),
-      is_router?: Utils.is_router?(use_funs)
+      is_router?: Utils.is_router?(use_funs),
+      is_endpoint?: Utils.is_endpoint?(use_funs)
     }
   end
 
@@ -478,6 +493,7 @@ defmodule Sobelow do
       "Config.Secrets" -> Sobelow.Config.Secrets
       "Config.HTTPS" -> Sobelow.Config.HTTPS
       "Config.HSTS" -> Sobelow.Config.HSTS
+      "Config.CSWH" -> Sobelow.Config.CSWH
       "Vuln" -> Sobelow.Vuln
       "Vuln.CookieRCE" -> Sobelow.Vuln.CookieRCE
       "Vuln.HeaderInject" -> Sobelow.Vuln.HeaderInject

lib/sobelow/config.ex

@@ -3,20 +3,22 @@ defmodule Sobelow.Config do
   alias Sobelow.Config.CSRF
   alias Sobelow.Config.CSP
   alias Sobelow.Config.Headers
+  alias Sobelow.Config.CSWH
 
   @submodules [
     Sobelow.Config.CSRF,
     Sobelow.Config.Headers,
     Sobelow.Config.CSP,
     Sobelow.Config.Secrets,
     Sobelow.Config.HTTPS,
-    Sobelow.Config.HSTS
+    Sobelow.Config.HSTS,
+    Sobelow.Config.CSWH
   ]
 
   use Sobelow.FindingType
   @skip_files ["dev.exs", "test.exs", "dev.secret.exs", "test.secret.exs"]
 
-  def fetch(root, router) do
+  def fetch(root, router, endpoints) do
     allowed = @submodules -- Sobelow.get_ignored()
     ignored_files = Sobelow.get_env(:ignored_files)
 
@@ -28,12 +30,19 @@ defmodule Sobelow.Config do
         |> Enum.filter(&want_to_scan?(dir_path <> &1, ignored_files))
 
       Enum.each(allowed, fn mod ->
-        if mod in [CSRF, Headers, CSP] do
-          Enum.each(router, fn path ->
-            apply(mod, :run, [relative_router(path, root), configs])
-          end)
-        else
-          apply(mod, :run, [dir_path, configs])
+        cond do
+          mod in [CSRF, Headers, CSP] ->
+            Enum.each(router, fn path ->
+              apply(mod, :run, [relative_path(path, root), configs])
+            end)
+
+          mod in [CSWH] ->
+            Enum.each(endpoints, fn path ->
+              apply(mod, :run, [relative_path(path, root)])
+            end)
+
+          true ->
+            apply(mod, :run, [dir_path, configs])
         end
       end)
     end
@@ -45,7 +54,7 @@ defmodule Sobelow.Config do
        do: conf
   end
 
-  defp relative_router(path, root) do
+  defp relative_path(path, root) do
     path = Path.relative_to(path, Path.expand(root))
 
     case Path.type(path) do

lib/sobelow/config/cswh.ex

@@ -0,0 +1,82 @@
+defmodule Sobelow.Config.CSWH do
+  @moduledoc """
+  # Cross-Site Websocket Hijacking
+
+  Websocket connections are not bound by the same-origin policy.
+  Connections that do not validate the origin may leak information
+  to an attacker.
+
+  More information can be found here: https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html
+
+  Cross-Site Websocket Hijacking checks can be disabled with
+  the following command:
+
+      $ mix sobelow -i Config.CSWH
+  """
+  alias Sobelow.Utils
+  use Sobelow.Finding
+
+  def run(endpoint) do
+    Utils.ast(endpoint)
+    |> Utils.get_funs_of_type(:socket)
+    |> handle_sockets(endpoint)
+  end
+
+  defp handle_sockets(sockets, endpoint) do
+    Enum.each(sockets, fn socket ->
+      check_socket(socket)
+      |> add_finding(socket, endpoint)
+    end)
+  end
+
+  def check_socket({_, _, [_, _, options]}) do
+    check_socket_options(options)
+  end
+
+  def check_socket(_), do: {false, :high}
+
+  defp check_socket_options([{:websocket, options} | _]) when is_list(options) do
+    case options[:check_origin] do
+      false -> {true, :high}
+      _ -> {true, :low}
+    end
+  end
+
+  defp check_socket_options([_ | t]), do: check_socket_options(t)
+  defp check_socket_options([]), do: {false, :high}
+
+  defp add_finding(nil, _, _), do: nil
+  defp add_finding({false, _}, _, _), do: nil
+
+  defp add_finding({true, confidence}, socket, endpoint) do
+    type = "Cross-Site Websocket Hijacking"
+    endpoint_path = "File: #{Utils.normalize_path(endpoint)}"
+
+    case Sobelow.format() do
+      "json" ->
+        finding = [
+          type: type,
+          endpoint: endpoint
+        ]
+
+        Sobelow.log_finding(finding, confidence)
+
+      "txt" ->
+        Sobelow.log_finding(type, confidence)
+
+        Utils.print_custom_finding_metadata(
+          socket,
+          :highlight_all,
+          confidence,
+          type,
+          [endpoint_path]
+        )
+
+      "compact" ->
+        Utils.log_compact_finding(type, confidence)
+
+      _ ->
+        Sobelow.log_finding(type, confidence)
+    end
+  end
+end

lib/sobelow/utils.ex

@@ -62,6 +62,10 @@ defmodule Sobelow.Utils do
     has_use_type?(uses, :router)
   end
 
+  def is_endpoint?([{:use, _, [{_, _, [:Phoenix, :Endpoint]}, _]} | _]), do: true
+  def is_endpoint?([_ | t]), do: is_endpoint?(t)
+  def is_endpoint?(_), do: false
+
   def has_use_type?([{:use, _, [_, type]} | _], type), do: true
   def has_use_type?([_ | t], type), do: has_use_type?(t, type)
   def has_use_type?(_, _), do: false

test/config/cswh_test.exs

@@ -0,0 +1,53 @@
+defmodule SobelowTest.Config.CSWHTest do
+  use ExUnit.Case
+  alias Sobelow.Utils
+  alias Sobelow.Config.CSWH
+
+  test "checks normal endpoint" do
+    endpoint = "./test/fixtures/cswh/good_endpoint.ex"
+
+    is_vuln? =
+      Utils.ast(endpoint)
+      |> Utils.get_funs_of_type(:socket)
+      |> Enum.any?(fn socket ->
+        case CSWH.check_socket(socket) do
+          {true, _} -> true
+          _ -> false
+        end
+      end)
+
+    refute is_vuln?
+  end
+
+  test "checks no-check endpoint" do
+    endpoint = "./test/fixtures/cswh/bad_endpoint.ex"
+
+    is_vuln? =
+      Utils.ast(endpoint)
+      |> Utils.get_funs_of_type(:socket)
+      |> Enum.any?(fn socket ->
+        case CSWH.check_socket(socket) do
+          {true, :high} -> true
+          _ -> false
+        end
+      end)
+
+    assert is_vuln?
+  end
+
+  test "checks loose check endpoint" do
+    endpoint = "./test/fixtures/cswh/soso_endpoint.ex"
+
+    is_vuln? =
+      Utils.ast(endpoint)
+      |> Utils.get_funs_of_type(:socket)
+      |> Enum.any?(fn socket ->
+        case CSWH.check_socket(socket) do
+          {true, :low} -> true
+          _ -> false
+        end
+      end)
+
+    assert is_vuln?
+  end
+end

test/fixtures/cswh/bad_endpoint.ex

@@ -0,0 +1,8 @@
+defmodule PhoenixWeb.Endpoint do
+  use Phoenix.Endpoint, otp_app: :phoenix
+
+  socket("/socket", PhoenixInternalsWeb.UserSocket,
+    websocket: [check_origin: false],
+    longpoll: false
+  )
+end

test/fixtures/cswh/good_endpoint.ex

@@ -0,0 +1,8 @@
+defmodule PhoenixWeb.Endpoint do
+  use Phoenix.Endpoint, otp_app: :phoenix
+
+  socket("/socket", PhoenixInternalsWeb.UserSocket,
+    websocket: true,
+    longpoll: false
+  )
+end

test/fixtures/cswh/soso_endpoint.ex

@@ -0,0 +1,8 @@
+defmodule PhoenixWeb.Endpoint do
+  use Phoenix.Endpoint, otp_app: :phoenix
+
+  socket("/socket", PhoenixInternalsWeb.UserSocket,
+    websocket: [check_origin: ["//example.com"]],
+    longpoll: false
+  )
+end