mirror of
https://github.com/github/codeql.git
synced 2026-04-26 09:15:12 +02:00
Merge pull request #7062 from github/ruby/rails-csrf
Ruby: Add `rb/csrf-protection-disabled` query
This commit is contained in:
Alex Ford
@@ -0,0 +1,4 @@
|
||||
| railsapp/app/controllers/users_controller.rb:4:3:4:47 | call to skip_before_action | Potential CSRF vulnerability due to forgery protection being disabled. |
|
||||
| railsapp/config/application.rb:15:5:15:53 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled. |
|
||||
| railsapp/config/environments/development.rb:5:3:5:51 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled. |
|
||||
| railsapp/config/environments/production.rb:5:3:5:51 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled. |
|
||||
@@ -0,0 +1 @@
|
||||
queries/security/cwe-352/CSRFProtectionDisabled.ql
|
||||
@@ -0,0 +1,2 @@
|
||||
class ApplicationController < ActionController::Base
|
||||
end
|
||||
@@ -0,0 +1,11 @@
|
||||
class UsersController < ApplicationController
|
||||
|
||||
# BAD: Disabling forgery protection may open the application to CSRF attacks
|
||||
skip_before_action :verify_authenticity_token
|
||||
|
||||
def change_email
|
||||
user = User.find_by(name: params[:user_name])
|
||||
user.email = params[:new_email]
|
||||
user.save!
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,17 @@
|
||||
require_relative 'boot'
|
||||
|
||||
require 'rails/all'
|
||||
|
||||
# Require the gems listed in Gemfile, including any gems
|
||||
# you've limited to :test, :development, or :production.
|
||||
Bundler.require(*Rails.groups)
|
||||
|
||||
module Railsapp
|
||||
class Application < Rails::Application
|
||||
# Initialize configuration defaults for originally generated Rails version.
|
||||
config.load_defaults 6.0
|
||||
|
||||
# BAD: Disabling forgery protection may open the application to CSRF attacks
|
||||
config.action_controller.allow_forgery_protection = false
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,5 @@
|
||||
# Load the Rails application.
|
||||
require_relative 'application'
|
||||
|
||||
# Initialize the Rails application.
|
||||
Rails.application.initialize!
|
||||
@@ -0,0 +1,6 @@
|
||||
Rails.application.configure do
|
||||
# Settings specified here will take precedence over those in config/application.rb.
|
||||
|
||||
# GOOD: disabling CSRF protection in the development environment should not be flagged
|
||||
config.action_controller.allow_forgery_protection = false
|
||||
end
|
||||
@@ -0,0 +1,6 @@
|
||||
Rails.application.configure do
|
||||
# Settings specified here will take precedence over those in config/application.rb.
|
||||
|
||||
# BAD: Disabling forgery protection may open the application to CSRF attacks
|
||||
config.action_controller.allow_forgery_protection = false
|
||||
end
|
||||
@@ -0,0 +1,11 @@
|
||||
# The test environment is used exclusively to run your application's
|
||||
# test suite. You never need to work with it otherwise. Remember that
|
||||
# your test database is "scratch space" for the test suite and is wiped
|
||||
# and recreated between test runs. Don't rely on the data there!
|
||||
|
||||
Rails.application.configure do
|
||||
# Settings specified here will take precedence over those in config/application.rb.
|
||||
|
||||
# GOOD: disabling CSRF protection in the test environment should not be flagged
|
||||
config.action_controller.allow_forgery_protection = false
|
||||
end
|
||||
@@ -0,0 +1,8 @@
|
||||
require "test_helper"
|
||||
|
||||
class UsersControllerTest < ActiveSupport::TestCase
|
||||
setup do
|
||||
# GOOD: disabling CSRF protection in tests should not be flagged
|
||||
config.action_controller.allow_forgery_protection = false
|
||||
end
|
||||
end
|
||||
Reference in New Issue
Block a user