ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection
semgrep
Author
unknown
Download Count*
License
This call turns off CSRF protection allowing CSRF attacks against the application
Run Locally
Run in CI
Defintion
rules:
- id: rails-skip-forgery-protection
pattern: skip_forgery_protection
message: This call turns off CSRF protection allowing CSRF attacks against the
application
languages:
- ruby
severity: WARNING
metadata:
cwe:
- "CWE-352: Cross-Site Request Forgery (CSRF)"
category: security
technology:
- rails
references:
- https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html#method-i-skip_forgery_protection
owasp:
- A01:2021 - Broken Access Control
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site Request Forgery (CSRF)
Examples
rails-skip-forgery-protection.rb
class CustomStrategy
def initialize(controller)
@controller = controller
end
def handle_unverified_request
# Custom behaviour for unverfied request
end
end
class ApplicationController < ActionController::Base
# ruleid: rails-skip-forgery-protection
skip_forgery_protection
end
class ApplicationController2 < ActionController::Base
# ok: rails-skip-forgery-protection
end
Short Link: https://sg.run/PgwY