hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Ruby: Update CSRF protection notes in documentation

Browse Source 
Autofix is confused about how the `protect_from_forgery` method works in Rails >= 5: GPT-5 says:

> In modern Rails versions (>=5, including 6 and 7 which this gem permits), ActionController::Base already enables CSRF protection by default with the `:exception` strategy; an explicit call to `protect_from_forgery` without options does not weaken security.

This is false: manual testing confirms that it actually does downgrade from `:exception` to `:null-session` behaviour when a manual call is made.

I can't find any authoritative source showing this gotcha, so I can see how the AI is confused and how humans might also struggle to verify the truth.
This commit is contained in:
Chris Smowton
2025-09-29 18:42:11 +01:00
committed by GitHub
parent b52fff2f81
commit 18c5cb10d9
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ruby/ql/src/queries/security/cwe-352/CSRFProtectionDisabled.qhelp
View File

@@ -58,6 +58,11 @@
for example if parts of the session are memoized. Calling
<code>protect_from_forgery with: :exception</code> can help to avoid this
by raising an exception on an invalid CSRF token instead.
Note this remains true even in Rails version 5 and later: these versions
automatically run <code>protect_from_forgery with: :exception</code>
by default, but manually calling <code>protect_from_forgery</code> with
no <code>with</code> argument will still downgrade protection to null the
session rather than raise an exception.
</p>
</example>