Merge pull request #20550 from github/smowton/admin/document-rails-5-csrf

Ruby: Update CSRF protection notes in documentation
2025-12-16 16:53:25 +01:00 · 2025-10-27 12:19:16 +00:00
parent 47b26ddea4 ff4b97bf2d
commit 2e0e9e0834
2 changed files with 11 additions and 0 deletions
--- a/ruby/ql/src/queries/security/cwe-352/CSRFProtectionDisabled.qhelp
+++ b/ruby/ql/src/queries/security/cwe-352/CSRFProtectionDisabled.qhelp
@@ -58,6 +58,11 @@
      for example if parts of the session are memoized. Calling
      <code>protect_from_forgery with: :exception</code> can help to avoid this
      by raising an exception on an invalid CSRF token instead.
+      Note this remains true even in Rails version 5 and later: these versions
+      automatically run <code>protect_from_forgery with: :exception</code>
+      by default, but manually calling <code>protect_from_forgery</code> with
+      no <code>with</code> argument will still downgrade protection to provide an
+      empty session rather than raise an exception.
    </p>

  </example>
--- a/ruby/ql/src/queries/security/cwe-352/CSRFProtectionNotEnabled.qhelp
+++ b/ruby/ql/src/queries/security/cwe-352/CSRFProtectionNotEnabled.qhelp
@@ -42,6 +42,12 @@
      vulnerability - for example if parts of the session are memoized. Calling
      <code>protect_from_forgery with: :exception</code> can help to avoid this
      by raising an exception on an invalid CSRF token instead.
+
+      Note that Rails versions 5 and later
+      automatically run <code>protect_from_forgery with: :exception</code>
+      by default, but manually calling <code>protect_from_forgery</code> with
+      no <code>with</code> argument will downgrade protection to provide an empty
+      session rather than raise an exception.
    </p>
  </recommendation>