ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection

semgrep

Author

unknown

Download Count*

LGPL Commons Clause

License

This call turns off CSRF protection allowing CSRF attacks against the application

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: rails-skip-forgery-protection
    pattern: skip_forgery_protection
    message: This call turns off CSRF protection allowing CSRF attacks against the
      application
    languages:
      - ruby
    severity: WARNING
    metadata:
      cwe:
        - "CWE-352: Cross-Site Request Forgery (CSRF)"
      category: security
      technology:
        - rails
      references:
        - https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html#method-i-skip_forgery_protection
      owasp:
        - A01:2021 - Broken Access Control
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site Request Forgery (CSRF)

Examples

rails-skip-forgery-protection.rb

class CustomStrategy
    def initialize(controller)
      @controller = controller
    end
  
    def handle_unverified_request
      # Custom behaviour for unverfied request
    end
  end
  
  class ApplicationController < ActionController::Base
    # ruleid: rails-skip-forgery-protection
    skip_forgery_protection 
  end
  class ApplicationController2 < ActionController::Base
    # ok: rails-skip-forgery-protection
  end

Short Link: https://sg.run/PgwY