mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
18c5cb10d9
Autofix is confused about how the `protect_from_forgery` method works in Rails >= 5: GPT-5 says: > In modern Rails versions (>=5, including 6 and 7 which this gem permits), ActionController::Base already enables CSRF protection by default with the `:exception` strategy; an explicit call to `protect_from_forgery` without options does not weaken security. This is false: manual testing confirms that it actually does downgrade from `:exception` to `:null-session` behaviour when a manual call is made. I can't find any authoritative source showing this gotcha, so I can see how the AI is confused and how humans might also struggle to verify the truth.
Ruby analysis support for CodeQL
This directory contains the extractor, CodeQL libraries, and queries that power Ruby support in CodeQL products that GitHub makes available to its customers worldwide.
It contains two major components:
- static analysis libraries and queries written in CodeQL that can be used to analyze such a database to find coding mistakes or security vulnerabilities.
- an extractor, written in Rust, that parses Ruby source code and converts it into a database that can be queried using CodeQL. See Developer information for information on building the extractor (you do not need to do this if you are only developing queries).