hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 12:15:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ruby: Make CSRF query more sensitive

Browse Source 
Generate an alert for every controller class that doesn't have or
inherity a `protect_from_forgery` setting.
This commit is contained in:
Harry Maclean
2023-09-25 13:46:50 +01:00
parent 49d826f667
commit 6d6f8ba512
4 changed files with 21 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionNotEnabled.expected
View File

@@ -1 +1,2 @@
| railsapp/app/controllers/alternative_root_controller.rb:1:1:3:3 | AlternativeRootController | Potential CSRF vulnerability due to forgery protection not being enabled |
| railsapp/app/controllers/alternative_root_controller.rb:1:1:3:3 | AlternativeRootController | Potential CSRF vulnerability due to forgery protection not being enabled. |
| railsapp/app/controllers/tags_controller.rb:1:1:2:3 | TagsController | Potential CSRF vulnerability due to forgery protection not being enabled. |

3
ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/subscriptions_controller.rb Normal file
View File

@@ -0,0 +1,3 @@
class SubscriptionsController < AlternativeRootController
protect_from_forgery with: :exception
end

2
ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/tags_controller.rb Normal file
View File

@@ -0,0 +1,2 @@
class TagsController < AlternativeRootController
end