ruby.lang.security.missing-csrf-protection.missing-csrf-protection
Verifed by r2c
Community Favorite
semgrep
Author
98,234
Download Count*
License
Detected controller which does not enable cross-site request forgery protections using 'protect_from_forgery'. Add 'protect_from_forgery :with => :exception' to your controller class.
Run Locally
Run in CI
Defintion
rules:
- id: missing-csrf-protection
patterns:
- pattern: |
class $CONTROLLER < ActionController::Base
...
end
- pattern-not: |
class $CONTROLLER < ActionController::Base
...
protect_from_forgery :with => :exception
end
- pattern-not: |
class $CONTROLLER < ActionController::Base
...
protect_from_forgery prepend: true, with: :exception
end
message: Detected controller which does not enable cross-site request forgery
protections using 'protect_from_forgery'. Add 'protect_from_forgery :with
=> :exception' to your controller class.
severity: ERROR
metadata:
cwe:
- "CWE-352: Cross-Site Request Forgery (CSRF)"
owasp:
- A01:2021 - Broken Access Control
source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross-site_request_forgery/index.markdown
category: security
technology:
- ruby
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site Request Forgery (CSRF)
languages:
- ruby
Examples
missing-csrf-protection.rb
# ruleid:missing-csrf-protection
class DangerousController < ActionController::Base
puts "do more stuff"
end
# ok:missing-csrf-protection
class OkController < ActionController::Base
protect_from_forgery :with => :exception
puts "do more stuff"
end
# ok:missing-csrf-protection
class OkController < ActionController::Base
protect_from_forgery prepend: true, with: :exception
puts "do more stuff"
end
Short Link: https://sg.run/XLel