hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-21 23:14:03 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ruby: reduce duplicate alerts for csrf query

Browse Source 
Only generate an alert on the top-most vulnerable Rails controller in
the controller tree.
This commit is contained in:
Harry Maclean
2023-10-10 15:37:32 +01:00
parent 1fbf177b54
commit 32b775fdc3
2 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ruby/ql/src/queries/security/cwe-352/CSRFProtectionNotEnabled.ql
View File

@@ -18,7 +18,7 @@ import codeql.ruby.frameworks.Gemfile
/**
* Holds if a call to `protect_from_forgery` is made in the controller class `definedIn`,
* which is inherited by the controller class `child`.
* which is inherited by the controller class `child`. These classes may be the same.
*/
private predicate protectFromForgeryCall(
ActionControllerClass definedIn, ActionControllerClass child,
@@ -45,5 +45,7 @@ where
railsPreVersion3()
or
not any(MethodCall m).getMethodName() = ["csrf_meta_tags", "csrf_meta_tag"]
)
) and
// Only generate alerts for the topmost controller in the tree.
not exists(ActionControllerClass parent | c = parent.getAnImmediateDescendent())
select c, "Potential CSRF vulnerability due to forgery protection not being enabled."