Merge pull request #14308 from hmac/hmac-rb-csrf-not-enabled

Ruby: Add a query for CSRF protection not enabled
2026-05-05 21:55:19 +02:00 · 2024-04-02 11:30:36 +01:00
parent 3c8c45872e 806f42ef72
commit 409f46ef7b
17 changed files with 490 additions and 35 deletions
--- a/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionDisabled.expected
+++ b/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionDisabled.expected
@@ -1,5 +1,5 @@
 | railsapp/app/controllers/application_controller.rb:5:3:5:22 | call to protect_from_forgery | Potential CSRF vulnerability due to forgery protection being disabled or weakened. |
 | railsapp/app/controllers/users_controller.rb:4:3:4:47 | call to skip_before_action | Potential CSRF vulnerability due to forgery protection being disabled or weakened. |
-| railsapp/config/application.rb:15:5:15:53 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled or weakened. |
+| railsapp/config/application.rb:16:5:16:53 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled or weakened. |
 | railsapp/config/environments/development.rb:5:3:5:51 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled or weakened. |
 | railsapp/config/environments/production.rb:5:3:5:51 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled or weakened. |
--- a/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionNotEnabled.expected
+++ b/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionNotEnabled.expected
@@ -0,0 +1 @@
+| railsapp/app/controllers/alternative_root_controller.rb:1:1:3:3 | AlternativeRootController | Potential CSRF vulnerability due to forgery protection not being enabled. |
--- a/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionNotEnabled.qlref
+++ b/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionNotEnabled.qlref
@@ -0,0 +1 @@
+queries/security/cwe-352/CSRFProtectionNotEnabled.ql
--- a/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/alternative_root_controller.rb
+++ b/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/alternative_root_controller.rb
@@ -0,0 +1,3 @@
+class AlternativeRootController < ActionController::Base
+    # BAD: no protect_from_forgery call
+end
--- a/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/subscriptions_controller.rb
+++ b/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/subscriptions_controller.rb
@@ -0,0 +1,3 @@
+class SubscriptionsController < AlternativeRootController
+    protect_from_forgery with: :exception
+end
--- a/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/tags_controller.rb
+++ b/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/tags_controller.rb
@@ -0,0 +1,2 @@
+class TagsController < AlternativeRootController
+end
--- a/ruby/ql/test/query-tests/security/cwe-352/railsapp/config/application.rb
+++ b/ruby/ql/test/query-tests/security/cwe-352/railsapp/config/application.rb
@@ -9,7 +9,8 @@ Bundler.require(*Rails.groups)
 module Railsapp
  class Application < Rails::Application
    # Initialize configuration defaults for originally generated Rails version.
-    config.load_defaults 6.0
+    # This defaults version does NOT enable CSRF protection by default.
+    config.load_defaults 5.1

    # BAD: Disabling forgery protection may open the application to CSRF attacks
    config.action_controller.allow_forgery_protection = false
				`@@ -0,0 +1 @@`
				`\| railsapp/app/controllers/alternative_root_controller.rb:1:1:3:3 \| AlternativeRootController \| Potential CSRF vulnerability due to forgery protection not being enabled. \|`
				`@@ -0,0 +1 @@`
				`queries/security/cwe-352/CSRFProtectionNotEnabled.ql`