mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
18c5cb10d9
Autofix is confused about how the `protect_from_forgery` method works in Rails >= 5: GPT-5 says: > In modern Rails versions (>=5, including 6 and 7 which this gem permits), ActionController::Base already enables CSRF protection by default with the `:exception` strategy; an explicit call to `protect_from_forgery` without options does not weaken security. This is false: manual testing confirms that it actually does downgrade from `:exception` to `:null-session` behaviour when a manual call is made. I can't find any authoritative source showing this gotcha, so I can see how the AI is confused and how humans might also struggle to verify the truth.