harden

.github/workflows/tests.yml

@@ -1,7 +1,7 @@
 name: CI
 on:
   push:
-    branches: [master]
+    branches: [master, ps-harden]
   pull_request:
     # Don't bother running if it's just a script or docs change
     paths-ignore:
@@ -60,6 +60,16 @@ jobs:
     - uses: ./.github/actions/setup-all
     - run: npm run ci:lint:scss
 
+  elixiraudit:
+    name: Auditing / Elixir
+    runs-on: ubuntu-20.04
+    needs: file_changes
+    if: ${{ needs.file_changes.outputs.ex }}
+    steps:
+    - uses: actions/checkout@v3
+    - uses: ./.github/actions/setup-all
+    - run: npm run ci:audit:ex
+
   elixirlint:
     name: Linting / Elixir
     runs-on: ubuntu-20.04

Dockerfile

@@ -31,11 +31,12 @@ ARG SENTRY_DSN=""
 # copy in Elixir deps required to build node modules for Phoenix
 COPY --from=elixir-builder /root/deps /root/deps
 
-ADD apps/site/assets /root/apps/site/assets
-
 WORKDIR /root/apps/site/assets/
+ADD apps/site/assets/package.json apps/site/assets/package-lock.json /root/apps/site/assets/
 RUN npm ci
+
 # Create apps/site/priv/static
+ADD apps/site/assets /root/apps/site/assets
 RUN npm run webpack:build -- --env SENTRY_DSN=$SENTRY_DSN
 # Create apps/site/react_renderer/dist/app.js
 RUN npm run webpack:build:react
@@ -70,16 +71,16 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 	libssl1.1 libsctp1 curl dumb-init \
 	&& rm -rf /var/lib/apt/lists/*
 
-WORKDIR /root
+RUN adduser --home /work --disabled-password dotcom && \
+    ulimit -n
 
 COPY --from=app-builder /root/_build/prod/rel /root/rel
 COPY --from=assets-builder /root/apps/site/react_renderer/dist/app.js /root/rel/site/app.js
 
 ADD rel/bin/startup /root/rel/site/bin/startup
 
-RUN mkdir /root/work
-
-WORKDIR /root/work
+WORKDIR /work
+USER dotcom
 
 # run the application
 ENTRYPOINT ["/usr/bin/dumb-init"]

apps/feedback/mix.exs

@@ -38,7 +38,7 @@ defmodule Feedback.Mixfile do
       {:timex, ">= 2.0.0"},
       {:briefly, "~> 0.3"},
       {:plug, "~> 1.12"},
-      {:ex_aws, "~> 2.1.2"},
+      {:ex_aws, "~> 2.4"},
       {:ex_aws_ses, "~> 2.1.1"},
       {:mail, "~> 0.2"},
       {:exvcr_helpers, in_umbrella: true, only: :test}

apps/location_service/mix.exs

@@ -45,9 +45,7 @@ defmodule LocationService.Mixfile do
       {:stops, in_umbrella: true},
       {:bypass, "~> 1.0", only: :test},
       {:exvcr_helpers, in_umbrella: true, only: :test},
-      # Can replace with release after 2.2.10
-      {:ex_aws,
-       github: "ex-aws/ex_aws", ref: "08cbbd2aef4ebf52796e48761d1351b5c87c4c5e", override: true}
+      {:ex_aws, "~> 2.4"}
     ]
   end
 end

apps/site/mix.exs

@@ -64,6 +64,7 @@ defmodule Site.Mixfile do
       {:parallel_stream, "~> 1.0.5"},
       {:bypass, "~> 1.0", only: :test},
       {:dialyxir, ">= 1.0.0-rc.4", only: [:test, :dev], runtime: false},
+      {:sobelow, "~> 0.11.1"},
       {:benchfella, "~> 0.3", only: :dev},
       {:floki, "~> 0.31.0"},
       {:httpoison, "~> 1.5"},

mix.exs

@@ -34,10 +34,7 @@ defmodule DotCom.Mixfile do
       {:excoveralls, "~> 0.14", only: :test},
       {:ex_doc, "~> 0.18", only: :dev},
       {:exvcr, "~> 0.11.0", only: [:dev, :test]},
-      {:eflame, "~> 1.0", only: :dev},
-      # Can replace with release after 2.2.10
-      {:ex_aws,
-       github: "ex-aws/ex_aws", ref: "08cbbd2aef4ebf52796e48761d1351b5c87c4c5e", override: true}
+      {:eflame, "~> 1.0", only: :dev}
     ]
   end
 

mix.lock

@@ -19,7 +19,7 @@
   "eflame": {:hex, :eflame, "1.0.1", "0664d287e39eef3c413749254b3af5f4f8b00be71c1af67d325331c4890be0fc", [:mix], [], "hexpm", "e0b08854a66f9013129de0b008488f3411ae9b69b902187837f994d7a99cf04e"},
   "ehmon": {:git, "https://github.com/mbta/ehmon.git", "1fb603262bd02d74a16183bd8f344dcace9d7561", []},
   "erlex": {:hex, :erlex, "0.1.6", "c01c889363168d3fdd23f4211647d8a34c0f9a21ec726762312e08e083f3d47e", [:mix], [], "hexpm", "f9388f7d1a668bee6ebddc040422ed6340af74aced153e492330da4c39516d92"},
-  "ex_aws": {:git, "https://github.com/ex-aws/ex_aws.git", "08cbbd2aef4ebf52796e48761d1351b5c87c4c5e", [ref: "08cbbd2aef4ebf52796e48761d1351b5c87c4c5e"]},
+  "ex_aws": {:hex, :ex_aws, "2.4.1", "d1dc8965d1dc1c939dd4570e37f9f1d21e047e4ecd4f9373dc89cd4e45dce5ef", [:mix], [{:configparser_ex, "~> 4.0", [hex: :configparser_ex, repo: "hexpm", optional: true]}, {:hackney, "~> 1.16", [hex: :hackney, repo: "hexpm", optional: true]}, {:jason, "~> 1.1", [hex: :jason, repo: "hexpm", optional: true]}, {:jsx, "~> 2.8 or ~> 3.0", [hex: :jsx, repo: "hexpm", optional: true]}, {:mime, "~> 1.2 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:sweet_xml, "~> 0.7", [hex: :sweet_xml, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4.3 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "803387db51b4e91be4bf0110ba999003ec6103de7028b808ee9b01f28dbb9eee"},
   "ex_aws_ses": {:hex, :ex_aws_ses, "2.1.1", "7324f2d0038203c70f8b9f5d0f0473a1f473b94e8eca57c84bf4b6aac04d584b", [:mix], [{:ex_aws, "~> 2.0", [hex: :ex_aws, repo: "hexpm", optional: false]}], "hexpm", "86c8a7b139533649c21c4ace6b625f7f2dd2a9190285dd1dc8e0cb9b4002dd19"},
   "ex_doc": {:hex, :ex_doc, "0.25.3", "3edf6a0d70a39d2eafde030b8895501b1c93692effcbd21347296c18e47618ce", [:mix], [{:earmark_parser, "~> 1.4.0", [hex: :earmark_parser, repo: "hexpm", optional: false]}, {:makeup_elixir, "~> 0.14", [hex: :makeup_elixir, repo: "hexpm", optional: false]}, {:makeup_erlang, "~> 0.1", [hex: :makeup_erlang, repo: "hexpm", optional: false]}], "hexpm", "9ebebc2169ec732a38e9e779fd0418c9189b3ca93f4a676c961be6c1527913f5"},
   "exactor": {:hex, :exactor, "2.2.3", "a6972f43bb6160afeb73e1d8ab45ba604cd0ac8b5244c557093f6e92ce582786", [:mix], [], "hexpm", "2c49a3b991bcacf1bcd20708cfce6380a12a0bdbf9b64dcd72a04bfde30754f9"},
@@ -52,6 +52,7 @@
   "mime": {:hex, :mime, "2.0.1", "0de4c81303fe07806ebc2494d5321ce8fb4df106e34dd5f9d787b637ebadc256", [:mix], [], "hexpm", "7a86b920d2aedce5fb6280ac8261ac1a739ae6c1a1ad38f5eadf910063008942"},
   "mimerl": {:hex, :mimerl, "1.2.0", "67e2d3f571088d5cfd3e550c383094b47159f3eee8ffa08e64106cdf5e981be3", [:rebar3], [], "hexpm", "f278585650aa581986264638ebf698f8bb19df297f66ad91b18910dfc6e19323"},
   "mint": {:hex, :mint, "1.4.0", "cd7d2451b201fc8e4a8fd86257fb3878d9e3752899eb67b0c5b25b180bde1212", [:mix], [{:castore, "~> 0.1.0", [hex: :castore, repo: "hexpm", optional: true]}], "hexpm", "10a99e144b815cbf8522dccbc8199d15802440fc7a64d67b6853adb6fa170217"},
+  "mix_audit": {:hex, :mix_audit, "2.1.0", "3c0dafb29114dffcdb508164a3d35311a9ac2c5baeba6495c9cd5315c25902b9", [:make, :mix], [{:jason, "~> 1.1", [hex: :jason, repo: "hexpm", optional: false]}, {:yaml_elixir, "~> 2.9", [hex: :yaml_elixir, repo: "hexpm", optional: false]}], "hexpm", "14c57a23e0a5f652c1e7f6e8dab93f166f66d63bd0c85f97278f5972b14e2be0"},
   "mochiweb": {:hex, :mochiweb, "2.22.0", "f104d6747c01a330c38613561977e565b788b9170055c5241ac9dd6e4617cba5", [:rebar3], [], "hexpm", "cbbd1fd315d283c576d1c8a13e0738f6dafb63dc840611249608697502a07655"},
   "mock": {:hex, :mock, "0.3.3", "42a433794b1291a9cf1525c6d26b38e039e0d3a360732b5e467bfc77ef26c914", [:mix], [{:meck, "~> 0.8.13", [hex: :meck, repo: "hexpm", optional: false]}], "hexpm", "a280d1f7b6f4bbcbd9282616e57502721781c66ee5b540720efabeaf627cc7eb"},
   "nimble_parsec": {:hex, :nimble_parsec, "1.1.0", "3a6fca1550363552e54c216debb6a9e95bd8d32348938e13de5eda962c0d7f89", [:mix], [], "hexpm", "08eb32d66b706e913ff748f11694b17981c0b04a33ef470e33e11b3d3ac8f54b"},
@@ -77,6 +78,7 @@
   "sentry": {:hex, :sentry, "7.0.4", "a9a00b480becfca5b897a1b383f88e21fa21abc876e2b1b30060040f76a9c776", [:mix], [{:hackney, "~> 1.8 or 1.6.5", [hex: :hackney, repo: "hexpm", optional: false]}, {:jason, "~> 1.1", [hex: :jason, repo: "hexpm", optional: true]}, {:phoenix, "~> 1.3", [hex: :phoenix, repo: "hexpm", optional: true]}, {:plug, "~> 1.6", [hex: :plug, repo: "hexpm", optional: true]}, {:plug_cowboy, "~> 1.0 or ~> 2.0", [hex: :plug_cowboy, repo: "hexpm", optional: true]}], "hexpm", "0aa7e405388af5634aefad7f3e11f188e8c13d0003ae7100b956eb01c8b002a5"},
   "server_sent_event_stage": {:hex, :server_sent_event_stage, "1.0.1", "bbafc90a252e9a506f680b18af5acb9014089edbcffff434e2bd9abea3bb4f53", [:mix], [{:castore, "~> 0.1", [hex: :castore, repo: "hexpm", optional: true]}, {:ex_doc, "~> 0.21", [hex: :ex_doc, repo: "hexpm", optional: true]}, {:gen_stage, "~> 0.14", [hex: :gen_stage, repo: "hexpm", optional: false]}, {:mint, "~> 1.0", [hex: :mint, repo: "hexpm", optional: false]}], "hexpm", "417145199dd05e310a784b95eb1d9ed71ad54052110efe847c01e617942fe73c"},
   "sizeable": {:hex, :sizeable, "0.1.5", "47fb6563efb1e11374b552b778808cf143496a003d1889c56a953ef57fd7856e", [:mix], [], "hexpm", "4f8175e96af86ac411db3e8e76de93cf9e312cb2909872bebc52cdb5586b9d80"},
+  "sobelow": {:hex, :sobelow, "0.11.1", "23438964486f8112b41e743bbfd402da3e5b296fdc9eacab29914b79c48916dd", [:mix], [{:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}], "hexpm", "9897363a7eff96f4809304a90aad819e2ad5e5d24db547af502885146746a53c"},
   "ssl_verify_fun": {:hex, :ssl_verify_fun, "1.1.6", "cf344f5692c82d2cd7554f5ec8fd961548d4fd09e7d22f5b62482e5aeaebd4b0", [:make, :mix, :rebar3], [], "hexpm", "bdb0d2471f453c88ff3908e7686f86f9be327d065cc1ec16fa4540197ea04680"},
   "telemetry": {:hex, :telemetry, "1.0.0", "0f453a102cdf13d506b7c0ab158324c337c41f1cc7548f0bc0e130bbf0ae9452", [:rebar3], [], "hexpm", "73bc09fa59b4a0284efb4624335583c528e07ec9ae76aca96ea0673850aec57a"},
   "tesla": {:hex, :tesla, "1.5.0", "7ee3616be87024a2b7231ae14474310c9b999c3abb1f4f8dbc70f86bd9678eef", [:mix], [{:castore, "~> 0.1", [hex: :castore, repo: "hexpm", optional: true]}, {:exjsx, ">= 3.0.0", [hex: :exjsx, repo: "hexpm", optional: true]}, {:finch, "~> 0.13", [hex: :finch, repo: "hexpm", optional: true]}, {:fuse, "~> 2.4", [hex: :fuse, repo: "hexpm", optional: true]}, {:gun, "~> 1.3", [hex: :gun, repo: "hexpm", optional: true]}, {:hackney, "~> 1.6", [hex: :hackney, repo: "hexpm", optional: true]}, {:ibrowse, "4.4.0", [hex: :ibrowse, repo: "hexpm", optional: true]}, {:jason, ">= 1.0.0", [hex: :jason, repo: "hexpm", optional: true]}, {:mime, "~> 1.0 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:mint, "~> 1.0", [hex: :mint, repo: "hexpm", optional: true]}, {:msgpax, "~> 2.3", [hex: :msgpax, repo: "hexpm", optional: true]}, {:poison, ">= 1.0.0", [hex: :poison, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: true]}], "hexpm", "1d0385e41fbd76af3961809088aef15dec4c2fdaab97b1c93c6484cb3695a122"},
@@ -87,4 +89,6 @@
   "vector": {:hex, :vector, "0.1.0", "b7a6f8123089d75b8f9c716012fb0e024b0de01e99ec05696b417cf68a58ae45", [:mix], [], "hexpm", "2399175b7daa136a15ddbaeeb007de0b903fd21979aec1afa2ead92d37033870"},
   "wallaby": {:hex, :wallaby, "0.30.1", "81342a34080867ab359aca23de4d1d8c6bbdeb35d8ce2a8c42e42b758d539963", [:mix], [{:ecto_sql, ">= 3.0.0", [hex: :ecto_sql, repo: "hexpm", optional: true]}, {:httpoison, "~> 0.12 or ~> 1.0", [hex: :httpoison, repo: "hexpm", optional: false]}, {:jason, "~> 1.1", [hex: :jason, repo: "hexpm", optional: false]}, {:phoenix_ecto, ">= 3.0.0", [hex: :phoenix_ecto, repo: "hexpm", optional: true]}, {:web_driver_client, "~> 0.2.0", [hex: :web_driver_client, repo: "hexpm", optional: false]}], "hexpm", "457251df6a94ff80816524136edbce6400cb1ee979586c90224ff634e9543d78"},
   "web_driver_client": {:hex, :web_driver_client, "0.2.0", "63b76cd9eb3b0716ec5467a0f8bead73d3d9612e63f7560d21357f03ad86e31a", [:mix], [{:hackney, "~> 1.6", [hex: :hackney, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}, {:tesla, "~> 1.3", [hex: :tesla, repo: "hexpm", optional: false]}], "hexpm", "83cc6092bc3e74926d1c8455f0ce927d5d1d36707b74d9a65e38c084aab0350f"},
+  "yamerl": {:hex, :yamerl, "0.10.0", "4ff81fee2f1f6a46f1700c0d880b24d193ddb74bd14ef42cb0bcf46e81ef2f8e", [:rebar3], [], "hexpm", "346adb2963f1051dc837a2364e4acf6eb7d80097c0f53cbdc3046ec8ec4b4e6e"},
+  "yaml_elixir": {:hex, :yaml_elixir, "2.9.0", "9a256da867b37b8d2c1ffd5d9de373a4fda77a32a45b452f1708508ba7bbcb53", [:mix], [{:yamerl, "~> 0.10", [hex: :yamerl, repo: "hexpm", optional: false]}], "hexpm", "0cb0e7d4c56f5e99a6253ed1a670ed0e39c13fc45a6da054033928607ac08dfc"},
 }

package.json

@@ -3,6 +3,7 @@
   "scripts": {
     "install": "npm install --prefix apps/site/assets --omit=optional",
     "install:ci": "npm ci --prefix apps/site/assets --omit=optional",
+    "ci:audit:ex": "mix do deps.audit, hex.audit; cd apps/site; mix sobelow --skip --exit",
     "ci:lint:ts": "npm run --prefix apps/site/assets eslint:ts",
     "ci:lint:js": "npm run --prefix apps/site/assets eslint:js",
     "ci:lint:scss": "npm run --prefix apps/site/assets stylelint -- css/**/*.scss",