defmodule Sobelow.RCE.EEx do
  @moduledoc """
  # Insecure EEx evaluation

  If user input is passed to EEx eval functions, it may result in
  arbitrary code execution. The root cause of these issues is often
  directory traversal.

  EEx checks can be ignored with the following command:

      $ mix sobelow -i RCE.EEx
  """
  @uid 16
  @finding_type "RCE.EEx: Code Execution in EEx template eval"

  use Sobelow.Finding
  @eex_funs [:eval_string, :eval_file]

  def run(fun, meta_file) do
    confidence = if !meta_file.is_controller?, do: :low

    Enum.each(@eex_funs, fn eex_fun ->
      "RCE.EEx: Code Execution in `EEx.#{eex_fun}`"
      |> Finding.init(meta_file.filename, confidence)
      |> Finding.multi_from_def(fun, parse_def(fun, eex_fun))
      |> Enum.each(&Print.add_finding(&1))
    end)
  end

  def parse_def(fun, eex_fun) do
    Parse.get_fun_vars_and_meta(fun, 0, eex_fun, [:EEx])
  end
end