defmodule Sobelow.XSS.ContentType do
@moduledoc """
# XSS in `put_resp_content_type`
If an attacker is able to set arbitrary content types for an
HTTP response containing user input, the attacker is likely to
be able to leverage this for cross-site scripting (XSS).
For example, consider an endpoint that returns JSON with user
input:
{"json": "user_input"}
If an attacker can control the content type set in the HTTP
response, they can set it to "text/html" and update the
JSON to the following in order to cause XSS:
{"json": "<script>alert(document.domain)</script>"}
Content Type checks can be ignored with the following command:
$ mix sobelow -i XSS.ContentType
"""
@uid 28
@finding_type "XSS.ContentType: XSS in `put_resp_content_type`"
use Sobelow.Finding
def run(fun, meta_file) do
confidence = if !meta_file.is_controller?, do: :low
Finding.init(@finding_type, meta_file.filename, confidence)
|> Finding.multi_from_def(fun, parse_def(fun))
|> Enum.each(&Print.add_finding(&1))
end
## put_resp_content_type(conn, content_type, charset \\ "utf-8")
def parse_def(fun) do
Parse.get_fun_vars_and_meta(fun, 1, :put_resp_content_type, :Conn)
end
end