defmodule Sobelow.Vuln.HeaderInject do
  @moduledoc """
  # Plug Version Vulnerable to Header Injection

  For more information visit:
  https://github.com/advisories/GHSA-9h73-w7ch-rh73

  Header Injection checks can be ignored with the following command:

      $ mix sobelow -i Vuln.HeaderInject
  """
  alias Sobelow.Config
  alias Sobelow.Vuln

  @uid 25
  @finding_type "Vuln.HeaderInject: Known Vulnerable Dependency - Update Plug"

  use Sobelow.Finding

  # we could _probably_ remove some of these versions since if Sobelow is running,
  # it means there is a minimum version of Elixir on the system which the lower
  # versions of Plug wouldn't support - will leave for now to reflect CVE
  @vuln_vsn ["<=1.3.4 and >=1.3.0", "<=1.2.4 and >=1.2.0", "<=1.1.8 and >=1.1.0", "<=1.0.5"]

  def run(root) do
    plug_conf = root <> "/deps/plug/mix.exs"

    if File.exists?(plug_conf) do
      vsn = Config.get_version(plug_conf)

      case Version.parse(vsn) do
        {:ok, vsn} ->
          if Enum.any?(@vuln_vsn, fn v -> Version.match?(vsn, v) end) do
            Vuln.print_finding(
              plug_conf,
              vsn,
              "Plug",
              "Header Injection",
              "CVE-2018-1000883",
              "HeaderInject"
            )
          end

        _ ->
          nil
      end
    end
  end
end