Ruby: enable forgery protection checks for development environments

2026-04-30 03:05:15 +02:00 · 2021-11-22 15:00:32 +00:00
parent 556cdbaa21
commit 68c3c16ab3
2 changed files with 3 additions and 2 deletions
--- a/ruby/ql/lib/codeql/ruby/frameworks/Rails.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/Rails.qll
@@ -106,10 +106,10 @@ private predicate hasBooleanValue(DataFlow::Node node, boolean value) {

 // `<actionControllerConfig>.allow_forgery_protection = <verificationSetting>`
 private DataFlow::CallNode getAnAllowForgeryProtectionCall(boolean verificationSetting) {
-  // exclude some test and development configuration
+  // exclude some test configuration
  not (
    result.getLocation().getFile().getRelativePath().matches("%test/%") or
-    result.getLocation().getFile().getStem() = ["test", "development"]
+    result.getLocation().getFile().getStem() = "test"
  ) and
  result.getReceiver() instanceof ActionControllerConfigNode and
  result.asExpr().getExpr().(MethodCall).getMethodName() = "allow_forgery_protection=" and
--- a/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionDisabled.expected
+++ b/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionDisabled.expected
@@ -1,3 +1,4 @@
 | railsapp/app/controllers/users_controller.rb:4:3:4:47 | call to skip_before_action | Potential CSRF vulnerability due to forgery protection being disabled. |
 | railsapp/config/application.rb:15:5:15:53 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled. |
+| railsapp/config/environments/development.rb:5:3:5:51 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled. |
 | railsapp/config/environments/production.rb:5:3:5:51 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled. |