Ruby: Make CSRF query more sensitive

Generate an alert for every controller class that doesn't have or inherity a `protect_from_forgery` setting.
2026-04-25 16:55:19 +02:00 · 2023-09-25 13:46:50 +01:00
parent 49d826f667
commit 6d6f8ba512
4 changed files with 21 additions and 7 deletions
--- a/ruby/ql/src/queries/security/cwe-352/CSRFProtectionNotEnabled.ql
+++ b/ruby/ql/src/queries/security/cwe-352/CSRFProtectionNotEnabled.ql
@@ -15,9 +15,17 @@ import codeql.ruby.AST
 import codeql.ruby.Concepts
 import codeql.ruby.frameworks.ActionController

-from ActionController::RootController c
-where
-  not exists(ActionController::ProtectFromForgeryCall call |
-    c.getSelf().flowsTo(call.getReceiver())
-  )
-select c, "Potential CSRF vulnerability due to forgery protection not being enabled"
+/**
+ * Holds if a call to `protect_from_forgery` is made in the controller class `definedIn`,
+ * which is inherited by the controller class `child`.
+ */
+private predicate protectFromForgeryCall(
+  ActionControllerClass definedIn, ActionControllerClass child,
+  ActionController::ProtectFromForgeryCall call
+) {
+  definedIn.getSelf().flowsTo(call.getReceiver()) and child = definedIn.getADescendent()
+}
+
+from ActionControllerClass c
+where not protectFromForgeryCall(_, c, _)
+select c, "Potential CSRF vulnerability due to forgery protection not being enabled."
--- a/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionNotEnabled.expected
+++ b/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionNotEnabled.expected
@@ -1 +1,2 @@
-| railsapp/app/controllers/alternative_root_controller.rb:1:1:3:3 | AlternativeRootController | Potential CSRF vulnerability due to forgery protection not being enabled |
+| railsapp/app/controllers/alternative_root_controller.rb:1:1:3:3 | AlternativeRootController | Potential CSRF vulnerability due to forgery protection not being enabled. |
+| railsapp/app/controllers/tags_controller.rb:1:1:2:3 | TagsController | Potential CSRF vulnerability due to forgery protection not being enabled. |
--- a/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/subscriptions_controller.rb
+++ b/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/subscriptions_controller.rb
@@ -0,0 +1,3 @@
+class SubscriptionsController < AlternativeRootController
+    protect_from_forgery with: :exception
+end
--- a/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/tags_controller.rb
+++ b/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/tags_controller.rb
@@ -0,0 +1,2 @@
+class TagsController < AlternativeRootController
+end