Ruby: Add a query for CSRF protection not enabled #14308
Conversation
|
QHelp previews: ruby/ql/src/queries/security/cwe-352/CSRFProtectionNotEnabled.qhelpCSRF protection not enabledCross-site request forgery (CSRF) is a type of vulnerability in which an attacker is able to force a user to carry out an action that the user did not intend. The attacker tricks an authenticated user into submitting a request to the web application. Typically this request will result in a state change on the server, such as changing the user's password. The request can be initiated when the user visits a site controlled by the attacker. If the web application relies only on cookies for authentication, or on other credentials that are automatically included in the request, then this request will appear as legitimate to the server. A common countermeasure for CSRF is to generate a unique token to be included in the HTML sent from the server to a user. This token can be used as a hidden field to be sent back with requests to the server, where the server can then check that the token is valid and associated with the relevant user session. RecommendationIn the Rails web framework, CSRF protection is enabled by the adding a call to the ExampleThe following example shows a case where CSRF protection is enabled with a secure request handling strategy of class ApplicationController < ActionController::Base
protect_from_forgery with: :exception
end
References
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
This might be a bit over-sensitive. We could reduce the FP rate by looking for specific routes which map to actions in controllers with no |
|
|
hmac
force-pushed
the
hmac-rb-csrf-not-enabled
branch
from
2e80b34 to
eed03fd
Compare
hmac
force-pushed
the
hmac-rb-csrf-not-enabled
branch
from
be6dac5 to
f31a483
Compare
Specifically in Rails apps, we look for root ActionController classes without a call to `protect_from_forgery`.
Generate an alert for every controller class that doesn't have or inherity a `protect_from_forgery` setting.
This query only applies to codebases using Ruby on Rails < 5.2, or where there is no call to `csrf_meta_tags` in the base ERb template.
csrf_meta_tag is an alias for csrf_meta_tags, retained for backwards compatibility.
Only generate an alert on the top-most vulnerable Rails controller in the controller tree.
`ActionController::API < ActionController::Base` is a base controller class, so we should recognise it as such.
CSRF protection only needs to be explicitly enabled on Rails applications < 5.2 _or_ those that don't include a `load_defaults` call with a version >= 5.2.
hmac
force-pushed
the
hmac-rb-csrf-not-enabled
branch
from
0253837 to
3c6436e
Compare
hmac
force-pushed
the
hmac-rb-csrf-not-enabled
branch
from
3c6436e to
f5be407
Compare
hmac
force-pushed
the
hmac-rb-csrf-not-enabled
branch
from
7275cbc to
dd092fd
Compare
|
DCA finally ran successfully, and the results look good to me. |
ruby/ql/src/change-notes/2023-09-25-csrf-protection-not-enabled.md
Outdated
Show resolved
Hide resolved
Specifically in Rails apps, we look for root ActionController classes without a call to
protect_from_forgery.