Ruby: Fix CSRF test

ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionDisabled.expected

@@ -1,5 +1,5 @@
 | railsapp/app/controllers/application_controller.rb:5:3:5:22 | call to protect_from_forgery | Potential CSRF vulnerability due to forgery protection being disabled or weakened. |
 | railsapp/app/controllers/users_controller.rb:4:3:4:47 | call to skip_before_action | Potential CSRF vulnerability due to forgery protection being disabled or weakened. |
-| railsapp/config/application.rb:15:5:15:53 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled or weakened. |
+| railsapp/config/application.rb:16:5:16:53 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled or weakened. |
 | railsapp/config/environments/development.rb:5:3:5:51 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled or weakened. |
 | railsapp/config/environments/production.rb:5:3:5:51 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled or weakened. |

ruby/ql/test/query-tests/security/cwe-352/railsapp/config/application.rb

@@ -9,7 +9,8 @@ Bundler.require(*Rails.groups)
 module Railsapp
   class Application < Rails::Application
     # Initialize configuration defaults for originally generated Rails version.
-    config.load_defaults 6.0
+    # This defaults version does NOT enable CSRF protection by default.
+    config.load_defaults 5.1
 
     # BAD: Disabling forgery protection may open the application to CSRF attacks
     config.action_controller.allow_forgery_protection = false