From 9a2d9848d46c2e8333181ec3ebc10b5bc4e0a024 Mon Sep 17 00:00:00 2001
From: Barrie Loydall <bloydall@change.org>
Date: Wed, 5 Feb 2020 14:57:54 -0800
Subject: [PATCH] add sobelow and review the vulnerabilities

---
 .gitignore                           |  9 +++++++++
 .sobelow-conf                        | 12 ++++++++++++
 lib/linguist/compiler.ex             |  1 +
 lib/linguist/memorized_vocabulary.ex |  1 +
 lib/linguist/vocabulary.ex           |  3 +++
 mix.exs                              |  3 ++-
 mix.lock                             |  1 +
 7 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 .sobelow-conf

diff --git a/.gitignore b/.gitignore
index f1fbc91..a74101c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,12 @@
 erl_crash.dump
 *.ez
 .tmux.rb
+
+# OSX's favorite useless file
+.DS_Store
+
+# VS Code plugin
+/.elixir_ls/
+
+# Generated sobelow file
+.sobelow
diff --git a/.sobelow-conf b/.sobelow-conf
new file mode 100644
index 0000000..d702a16
--- /dev/null
+++ b/.sobelow-conf
@@ -0,0 +1,12 @@
+[
+  verbose: false,
+  private: false,
+  skip: true,
+  router: "",
+  exit: "false",
+  format: "txt",
+  out: "",
+  threshold: "low",
+  ignore: ["Config.CSRF", "Config.HTTPS"],
+  ignore_files: [""]
+]
diff --git a/lib/linguist/compiler.ex b/lib/linguist/compiler.ex
index 5954c14..15de352 100644
--- a/lib/linguist/compiler.ex
+++ b/lib/linguist/compiler.ex
@@ -103,6 +103,7 @@ defmodule Linguist.Compiler do
     end
   end
 
+  # sobelow_skip ["DOS.StringToAtom"]
   defp interpolate(string, var) do
     @interpol_rgx
     |> Regex.split(string, on: [:head, :tail])
diff --git a/lib/linguist/memorized_vocabulary.ex b/lib/linguist/memorized_vocabulary.ex
index 0f1a9e2..00c0e22 100644
--- a/lib/linguist/memorized_vocabulary.ex
+++ b/lib/linguist/memorized_vocabulary.ex
@@ -62,6 +62,7 @@ defmodule Linguist.MemorizedVocabulary do
     end
   end
 
+  # sobelow_skip ["DOS.StringToAtom"]
   defp do_t(locale, translation_key, bindings) do
     case :ets.lookup(:translations_registry, "#{locale}.#{translation_key}") do
       [] -> {:error, :no_translation}
diff --git a/lib/linguist/vocabulary.ex b/lib/linguist/vocabulary.ex
index f5f1ca1..6c992aa 100644
--- a/lib/linguist/vocabulary.ex
+++ b/lib/linguist/vocabulary.ex
@@ -96,9 +96,12 @@ defmodule Linguist.Vocabulary do
   Recursive function used internally for loading yaml files.
   Not intended for external use
   """
+  # sobelow_skip ["DOS.StringToAtom"]
   def _yaml_reducer({key, value}, acc) when is_binary(value) do
     [{String.to_atom(key), value} | acc]
   end
+
+  # sobelow_skip ["DOS.StringToAtom"]
   def _yaml_reducer({key, value}, acc) do
     [{String.to_atom(key), Enum.reduce(value, [], &Linguist.Vocabulary._yaml_reducer/2)} | acc]
   end
diff --git a/mix.exs b/mix.exs
index 5675a38..4540f22 100644
--- a/mix.exs
+++ b/mix.exs
@@ -30,7 +30,8 @@ defmodule Linguist.Mixfile do
       {:ex_cldr, "~> 1.6.0"},
       {:jason, "~> 1.0"},
       {:yaml_elixir, "~> 2.0"},
-      {:credo, "~> 0.9.0", only: [:dev, :test], runtime: false}
+      {:credo, "~> 0.9.0", only: [:dev, :test], runtime: false},
+      {:sobelow, "~> 0.10", only: :dev, runtime: false}
     ]
   end
 end
diff --git a/mix.lock b/mix.lock
index 3da2a3c..5e65b20 100644
--- a/mix.lock
+++ b/mix.lock
@@ -6,6 +6,7 @@
   "ex_cldr": {:hex, :ex_cldr, "1.6.4", "28b0aebdc38bb04414fce24679365a9355d1fce3ca731c7273d34927c6bdb8ce", [:mix], [{:abnf2, "~> 0.1", [hex: :abnf2, repo: "hexpm", optional: false]}, {:decimal, "~> 1.4", [hex: :decimal, repo: "hexpm", optional: false]}, {:gettext, "~> 0.13", [hex: :gettext, repo: "hexpm", optional: true]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:phoenix, "~> 1.3", [hex: :phoenix, repo: "hexpm", optional: true]}, {:plug, "~> 1.4", [hex: :plug, repo: "hexpm", optional: true]}, {:poison, "~> 2.1 or ~> 3.0", [hex: :poison, repo: "hexpm", optional: true]}, {:sweet_xml, "~> 0.6", [hex: :sweet_xml, repo: "hexpm", optional: true]}], "hexpm"},
   "jason": {:hex, :jason, "1.0.0", "0f7cfa9bdb23fed721ec05419bcee2b2c21a77e926bce0deda029b5adc716fe2", [:mix], [{:decimal, "~> 1.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm"},
   "poison": {:hex, :poison, "3.1.0", "d9eb636610e096f86f25d9a46f35a9facac35609a7591b3be3326e99a0484665", [:mix], [], "hexpm"},
+  "sobelow": {:hex, :sobelow, "0.10.0", "2beea5387dd47ce5ead9df0562eb93b33e4b574d006ea31b8dce9e0cc775a4d6", [:mix], [], "hexpm"},
   "yamerl": {:hex, :yamerl, "0.7.0", "e51dba652dce74c20a88294130b48051ebbbb0be7d76f22de064f0f3ccf0aaf5", [:rebar3], [], "hexpm"},
   "yaml_elixir": {:hex, :yaml_elixir, "2.0.0", "5d7c40e039b076c0da1921b2754d4a91bc435ac4434bef633f5506dbafd6b8f2", [:mix], [{:yamerl, "~> 0.5", [hex: :yamerl, repo: "hexpm", optional: false]}], "hexpm"},
   "yomel": {:hex, :yomel, "0.5.0", "c5a42d1818deda3f85ae14b1f01f6ece22b9ed8e8087012359fc04b59d85f621", [:make, :mix], [], "hexpm"},