ruby.lang.security.missing-csrf-protection.missing-csrf-protection

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
98,234
Download Count*

Detected controller which does not enable cross-site request forgery protections using 'protect_from_forgery'. Add 'protect_from_forgery :with => :exception' to your controller class.

Run Locally

Run in CI

Defintion

rules:
  - id: missing-csrf-protection
    patterns:
      - pattern: |
          class $CONTROLLER < ActionController::Base
            ...
          end
      - pattern-not: |
          class $CONTROLLER < ActionController::Base
            ...
            protect_from_forgery :with => :exception
          end
      - pattern-not: |
          class $CONTROLLER < ActionController::Base
            ...
            protect_from_forgery prepend: true, with: :exception
          end
    message: Detected controller which does not enable cross-site request forgery
      protections using 'protect_from_forgery'. Add 'protect_from_forgery :with
      => :exception' to your controller class.
    severity: ERROR
    metadata:
      cwe:
        - "CWE-352: Cross-Site Request Forgery (CSRF)"
      owasp:
        - A01:2021 - Broken Access Control
      source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross-site_request_forgery/index.markdown
      category: security
      technology:
        - ruby
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - ruby

Examples

missing-csrf-protection.rb

# ruleid:missing-csrf-protection
class DangerousController < ActionController::Base

  puts "do more stuff"

end

# ok:missing-csrf-protection
class OkController < ActionController::Base

  protect_from_forgery :with => :exception

  puts "do more stuff"

end

# ok:missing-csrf-protection
class OkController < ActionController::Base

  protect_from_forgery prepend: true, with: :exception

  puts "do more stuff"

end