defmodule Sobelow.Vuln.CookieRCE do
  @moduledoc """
  # Plug Version Vulnerable to Arbitrary Code Execution in Cookie Serialization

  For more information visit:
  https://github.com/advisories/GHSA-5v4m-c73v-c7gq

  Cookie RCE checks can be ignored with the following command:

      $ mix sobelow -i Vuln.CookieRCE
  """
  alias Sobelow.Config
  alias Sobelow.Vuln

  @uid 23
  @finding_type "Vuln.Plug: Known Vulnerable Dependency - Update Plug"

  use Sobelow.Finding

  # we could _probably_ remove some of these versions since if Sobelow is running,
  # it means there is a minimum version of Elixir on the system which the lower
  # versions of Plug wouldn't support - will leave for now to reflect CVE
  @vuln_vsn ~w(1.3.1 1.3.0 1.2.2 1.2.1 1.2.0 1.1.6 1.1.5 1.1.4 1.1.3 1.1.2 1.1.1 1.1.0 1.0.3 1.0.2 1.0.1 1.0.0)

  def run(root) do
    plug_conf = root <> "/deps/plug/mix.exs"

    if File.exists?(plug_conf) do
      vsn = Config.get_version(plug_conf)

      if Enum.member?(@vuln_vsn, vsn) do
        Vuln.print_finding(
          plug_conf,
          vsn,
          "Plug",
          "Arbitrary Code Execution in Cookie Serialization",
          "CVE-2017-1000053",
          "CookieRCE"
        )
      end
    end
  end
end