From 2751a97619d28451ce6e02722fa16b606d3bc291 Mon Sep 17 00:00:00 2001 From: Jason Yeo Date: Mon, 4 Apr 2016 15:38:32 +0800 Subject: [PATCH 1/6] Fix #848. Check forgery setting in all direct subclasses of ActionController::Base --- lib/brakeman/checks/check_forgery_setting.rb | 98 ++++++++++--------- .../app/controllers/base_controller.rb | 3 + test/tests/rails4_with_engines.rb | 2 +- 3 files changed, 54 insertions(+), 49 deletions(-) create mode 100644 test/apps/rails4_with_engines/engines/user_removal/app/controllers/base_controller.rb diff --git a/lib/brakeman/checks/check_forgery_setting.rb b/lib/brakeman/checks/check_forgery_setting.rb index 2fc956a20c..7bc881dc9f 100644 --- a/lib/brakeman/checks/check_forgery_setting.rb +++ b/lib/brakeman/checks/check_forgery_setting.rb @@ -7,67 +7,69 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck Brakeman::Checks.add self - @description = "Verifies that protect_from_forgery is enabled in ApplicationController" + @description = "Verifies that protect_from_forgery is enabled in direct subclasses of ActionController::Base" def run_check - app_controller = tracker.controllers[:ApplicationController] - return unless app_controller and app_controller.ancestor? :"ActionController::Base" + tracker.controllers + .select { |_, controller| controller.parent == :"ActionController::Base" } + .each do |name, controller| - if tracker.config.allow_forgery_protection? - warn :controller => :ApplicationController, - :warning_type => "Cross-Site Request Forgery", - :warning_code => :csrf_protection_disabled, - :message => "Forgery protection is disabled", - :confidence => CONFIDENCE[:high], - :file => app_controller.file + if tracker.config.allow_forgery_protection? + warn :controller => name, + :warning_type => "Cross-Site Request Forgery", + :warning_code => :csrf_protection_disabled, + :message => "Forgery protection is disabled", + :confidence => CONFIDENCE[:high], + :file => controller.file - elsif app_controller and not app_controller.protect_from_forgery? + elsif controller and not controller.protect_from_forgery? - warn :controller => :ApplicationController, - :warning_type => "Cross-Site Request Forgery", - :warning_code => :csrf_protection_missing, - :message => "'protect_from_forgery' should be called in ApplicationController", - :confidence => CONFIDENCE[:high], - :file => app_controller.file, - :line => app_controller.top_line + warn :controller => name, + :warning_type => "Cross-Site Request Forgery", + :warning_code => :csrf_protection_missing, + :message => "'protect_from_forgery' should be called in #{name}", + :confidence => CONFIDENCE[:high], + :file => controller.file, + :line => controller.top_line - elsif version_between? "2.1.0", "2.3.10" + elsif version_between? "2.1.0", "2.3.10" - warn :controller => :ApplicationController, - :warning_type => "Cross-Site Request Forgery", - :warning_code => :CVE_2011_0447, - :message => "CSRF protection is flawed in unpatched versions of Rails #{rails_version} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches as needed", - :confidence => CONFIDENCE[:high], - :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion" + warn :controller => name, + :warning_type => "Cross-Site Request Forgery", + :warning_code => :CVE_2011_0447, + :message => "CSRF protection is flawed in unpatched versions of Rails #{rails_version} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches as needed", + :confidence => CONFIDENCE[:high], + :gem_info => gemfile_or_environment, + :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion" - elsif version_between? "3.0.0", "3.0.3" + elsif version_between? "3.0.0", "3.0.3" - warn :controller => :ApplicationController, - :warning_type => "Cross-Site Request Forgery", - :warning_code => :CVE_2011_0447, - :message => "CSRF protection is flawed in unpatched versions of Rails #{rails_version} (CVE-2011-0447). Upgrade to 3.0.4 or apply patches as needed", - :confidence => CONFIDENCE[:high], - :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion" - elsif version_between? "4.0.0", "100.0.0" and forgery_opts = app_controller.options[:protect_from_forgery] + warn :controller => name, + :warning_type => "Cross-Site Request Forgery", + :warning_code => :CVE_2011_0447, + :message => "CSRF protection is flawed in unpatched versions of Rails #{rails_version} (CVE-2011-0447). Upgrade to 3.0.4 or apply patches as needed", + :confidence => CONFIDENCE[:high], + :gem_info => gemfile_or_environment, + :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion" + elsif version_between? "4.0.0", "100.0.0" and forgery_opts = controller.options[:protect_from_forgery] - unless forgery_opts.is_a?(Array) and sexp?(forgery_opts.first) and - access_arg = hash_access(forgery_opts.first.first_arg, :with) and symbol? access_arg and - access_arg.value == :exception + unless forgery_opts.is_a?(Array) and sexp?(forgery_opts.first) and + access_arg = hash_access(forgery_opts.first.first_arg, :with) and symbol? access_arg and + access_arg.value == :exception - args = { - :controller => :ApplicationController, - :warning_type => "Cross-Site Request Forgery", - :warning_code => :csrf_not_protected_by_raising_exception, - :message => "protect_from_forgery should be configured with 'with: :exception'", - :confidence => CONFIDENCE[:med], - :file => app_controller.file - } + args = { + :controller => name, + :warning_type => "Cross-Site Request Forgery", + :warning_code => :csrf_not_protected_by_raising_exception, + :message => "protect_from_forgery should be configured with 'with: :exception'", + :confidence => CONFIDENCE[:med], + :file => controller.file + } - args.merge!(:code => forgery_opts.first) if forgery_opts.is_a?(Array) + args.merge!(:code => forgery_opts.first) if forgery_opts.is_a?(Array) - warn args + warn args + end end end end diff --git a/test/apps/rails4_with_engines/engines/user_removal/app/controllers/base_controller.rb b/test/apps/rails4_with_engines/engines/user_removal/app/controllers/base_controller.rb new file mode 100644 index 0000000000..236d252a3c --- /dev/null +++ b/test/apps/rails4_with_engines/engines/user_removal/app/controllers/base_controller.rb @@ -0,0 +1,3 @@ +class BaseController < ActionController::Base + # missing protect_from_forgery call +end diff --git a/test/tests/rails4_with_engines.rb b/test/tests/rails4_with_engines.rb index 04892c0971..16025e5fa8 100644 --- a/test/tests/rails4_with_engines.rb +++ b/test/tests/rails4_with_engines.rb @@ -6,7 +6,7 @@ class Rails4WithEnginesTests < Test::Unit::TestCase def expected @expected ||= { - :controller => 1, + :controller => 2, :model => 5, :template => 11, :generic => 10 } From 7cbd664721e919db25287587391903dfc1296062 Mon Sep 17 00:00:00 2001 From: Jason Yeo Date: Tue, 5 Apr 2016 20:13:14 +0800 Subject: [PATCH 2/6] Factor out csrf config check from iteration --- lib/brakeman/checks/check_forgery_setting.rb | 100 +++++++++---------- 1 file changed, 45 insertions(+), 55 deletions(-) diff --git a/lib/brakeman/checks/check_forgery_setting.rb b/lib/brakeman/checks/check_forgery_setting.rb index 7bc881dc9f..dd9aea8221 100644 --- a/lib/brakeman/checks/check_forgery_setting.rb +++ b/lib/brakeman/checks/check_forgery_setting.rb @@ -10,65 +10,55 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck @description = "Verifies that protect_from_forgery is enabled in direct subclasses of ActionController::Base" def run_check - tracker.controllers - .select { |_, controller| controller.parent == :"ActionController::Base" } - .each do |name, controller| + cve_2011_0447_warning = { + :warning_type => "Cross-Site Request Forgery", + :warning_code => :CVE_2011_0447, + :confidence => CONFIDENCE[:high], + :gem_info => gemfile_or_environment, + :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion" + } - if tracker.config.allow_forgery_protection? - warn :controller => name, - :warning_type => "Cross-Site Request Forgery", - :warning_code => :csrf_protection_disabled, - :message => "Forgery protection is disabled", - :confidence => CONFIDENCE[:high], - :file => controller.file + if tracker.config.allow_forgery_protection? + warn :warning_type => "Cross-Site Request Forgery", + :warning_code => :csrf_protection_disabled, + :message => "Forgery protection is disabled", + :confidence => CONFIDENCE[:high] + elsif version_between? "2.1.0", "2.3.10" + cve_2011_0447_warning[:message] = "CSRF protection is flawed in unpatched versions of Rails #{rails_version} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches as needed" + warn cve_2011_0447_warning + elsif version_between? "3.0.0", "3.0.3" + cve_2011_0447_warning[:message] = "CSRF protection is flawed in unpatched versions of Rails #{rails_version} (CVE-2011-0447). Upgrade to 3.0.4 or apply patches as needed" + warn cve_2011_0447_warning + else + tracker.controllers + .select { |_, controller| controller.parent == :"ActionController::Base" } + .each do |name, controller| + if controller and not controller.protect_from_forgery? + warn :controller => name, + :warning_type => "Cross-Site Request Forgery", + :warning_code => :csrf_protection_missing, + :message => "'protect_from_forgery' should be called in #{name}", + :confidence => CONFIDENCE[:high], + :file => controller.file, + :line => controller.top_line + elsif version_between? "4.0.0", "100.0.0" and forgery_opts = controller.options[:protect_from_forgery] + unless forgery_opts.is_a?(Array) and sexp?(forgery_opts.first) and + access_arg = hash_access(forgery_opts.first.first_arg, :with) and symbol? access_arg and + access_arg.value == :exception - elsif controller and not controller.protect_from_forgery? + args = { + :controller => name, + :warning_type => "Cross-Site Request Forgery", + :warning_code => :csrf_not_protected_by_raising_exception, + :message => "protect_from_forgery should be configured with 'with: :exception'", + :confidence => CONFIDENCE[:med], + :file => controller.file + } - warn :controller => name, - :warning_type => "Cross-Site Request Forgery", - :warning_code => :csrf_protection_missing, - :message => "'protect_from_forgery' should be called in #{name}", - :confidence => CONFIDENCE[:high], - :file => controller.file, - :line => controller.top_line + args.merge!(:code => forgery_opts.first) if forgery_opts.is_a?(Array) - elsif version_between? "2.1.0", "2.3.10" - - warn :controller => name, - :warning_type => "Cross-Site Request Forgery", - :warning_code => :CVE_2011_0447, - :message => "CSRF protection is flawed in unpatched versions of Rails #{rails_version} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches as needed", - :confidence => CONFIDENCE[:high], - :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion" - - elsif version_between? "3.0.0", "3.0.3" - - warn :controller => name, - :warning_type => "Cross-Site Request Forgery", - :warning_code => :CVE_2011_0447, - :message => "CSRF protection is flawed in unpatched versions of Rails #{rails_version} (CVE-2011-0447). Upgrade to 3.0.4 or apply patches as needed", - :confidence => CONFIDENCE[:high], - :gem_info => gemfile_or_environment, - :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion" - elsif version_between? "4.0.0", "100.0.0" and forgery_opts = controller.options[:protect_from_forgery] - - unless forgery_opts.is_a?(Array) and sexp?(forgery_opts.first) and - access_arg = hash_access(forgery_opts.first.first_arg, :with) and symbol? access_arg and - access_arg.value == :exception - - args = { - :controller => name, - :warning_type => "Cross-Site Request Forgery", - :warning_code => :csrf_not_protected_by_raising_exception, - :message => "protect_from_forgery should be configured with 'with: :exception'", - :confidence => CONFIDENCE[:med], - :file => controller.file - } - - args.merge!(:code => forgery_opts.first) if forgery_opts.is_a?(Array) - - warn args + warn args + end end end end From 60fdd48538353cf5176f2c7dd3f169d09d10455f Mon Sep 17 00:00:00 2001 From: Jason Yeo Date: Tue, 5 Apr 2016 20:13:28 +0800 Subject: [PATCH 3/6] Add tests to show what is changed explicitly --- test/tests/rails3.rb | 38 +++++++++++++++++-------------- test/tests/rails4_with_engines.rb | 12 ++++++++++ 2 files changed, 33 insertions(+), 17 deletions(-) diff --git a/test/tests/rails3.rb b/test/tests/rails3.rb index 6bff84d427..341fcfe405 100644 --- a/test/tests/rails3.rb +++ b/test/tests/rails3.rb @@ -3,7 +3,7 @@ class Rails3Tests < Test::Unit::TestCase include BrakemanTester::FindWarning include BrakemanTester::CheckExpected - + def report @@report ||= BrakemanTester.run_scan "rails3", "Rails 3", :rails3 => true, :config_file => File.join(TEST_PATH, "apps", "rails3", "config", "brakeman.yml") @@ -11,10 +11,10 @@ def report def expected @expected ||= { - :controller => 1, + :controller => 0, :model => 9, :template => 38, - :generic => 74 + :generic => 75 } if RUBY_PLATFORM == 'java' @@ -384,11 +384,15 @@ def test_sql_injection_non_active_record_model end def test_csrf_protection - assert_warning :type => :controller, + assert_warning :type => :warning, + :warning_code => 33, + :fingerprint => "cc7397ad174bf0da4629bf721183207781fa674909e811965fcde139eb177447", :warning_type => "Cross-Site Request Forgery", - :message => /^'protect_from_forgery' should be called /, + :line => 49, + :message => /^CSRF\ protection\ is\ flawed\ in\ unpatched\ v/, :confidence => 0, - :file => /application_controller\.rb/ + :relative_path => "Gemfile.lock", + :user_input => nil end def test_attribute_restriction @@ -538,8 +542,8 @@ def test_encoded_href_parameter_in_link_to :message => /^Unsafe parameter value in link_to href/, :confidence => 0, :file => /test_params\.html\.erb/ - end - + end + def test_href_parameter_in_link_to assert_warning :type => :template, :warning_type => "Cross Site Scripting", @@ -547,21 +551,21 @@ def test_href_parameter_in_link_to :message => /^Unsafe parameter value in link_to href/, :confidence => 0, :file => /test_params\.html\.erb/ - + assert_warning :type => :template, :warning_type => "Cross Site Scripting", :line => 16, :message => /^Unsafe parameter value in link_to href/, :confidence => 1, - :file => /test_params\.html\.erb/ - + :file => /test_params\.html\.erb/ + assert_warning :type => :template, :warning_type => "Cross Site Scripting", :line => 18, :message => /^Unsafe parameter value in link_to href/, :confidence => 1, - :file => /test_params\.html\.erb/ - end + :file => /test_params\.html\.erb/ + end def test_polymorphic_url_in_href assert_no_warning :type => :template, @@ -569,14 +573,14 @@ def test_polymorphic_url_in_href :line => 10, :message => /^Unsafe parameter value in link_to href/, :confidence => 1, - :file => /test_model\.html\.erb/ + :file => /test_model\.html\.erb/ assert_no_warning :type => :template, :warning_type => "Cross Site Scripting", :line => 12, :message => /^Unsafe parameter value in link_to href/, :confidence => 1, - :file => /test_model\.html\.erb/ + :file => /test_model\.html\.erb/ end @@ -933,7 +937,7 @@ def test_xss_content_tag_unescaped_attribute :message => /^Unescaped\ model\ attribute\ in\ content_tag/, :confidence => 0, :file => /test_content_tag\.html\.erb/ - end + end def test_xss_content_tag_in_tag_name assert_warning :type => :template, @@ -1110,7 +1114,7 @@ def test_remote_code_execution_CVE_2013_0333 :message => /^Rails\ 3\.0\.3\ has\ a\ serious\ JSON\ parsing\ v/, :confidence => 0, :file => /Gemfile/ - end + end def test_denial_of_service_CVE_2013_0269 assert_warning :type => :warning, diff --git a/test/tests/rails4_with_engines.rb b/test/tests/rails4_with_engines.rb index 16025e5fa8..54eeb1738e 100644 --- a/test/tests/rails4_with_engines.rb +++ b/test/tests/rails4_with_engines.rb @@ -284,6 +284,18 @@ def test_csrf_without_exception :relative_path => "app/controllers/application_controller.rb" end + def test_csrf_in_engine + assert_warning :type => :controller, + :warning_code => 7, + :fingerprint => "bdd5f4f1cdd2e9fb24adc4e9333f2b2eb1d0325badcab7c0b89c25952a2454e8", + :warning_type => "Cross-Site Request Forgery", + :line => 1, + :message => /^'protect_from_forgery'\ should\ be\ called\ /, + :confidence => 0, + :relative_path => "engines/user_removal/app/controllers/base_controller.rb", + :user_input => nil + end + def test_xml_dos_CVE_2015_3227 assert_warning :type => :warning, :warning_code => 88, From ad1bc7d89cf2bf1e6f4e5326c4d0c14a6c507823 Mon Sep 17 00:00:00 2001 From: Justin Collins Date: Tue, 18 Oct 2016 07:21:21 -0700 Subject: [PATCH 4/6] Fix up generalized CSRF check --- lib/brakeman/checks/check_forgery_setting.rb | 73 +++++++++++--------- test/tests/rails3.rb | 14 ++-- 2 files changed, 46 insertions(+), 41 deletions(-) diff --git a/lib/brakeman/checks/check_forgery_setting.rb b/lib/brakeman/checks/check_forgery_setting.rb index 9eb546ff84..f827884c59 100644 --- a/lib/brakeman/checks/check_forgery_setting.rb +++ b/lib/brakeman/checks/check_forgery_setting.rb @@ -10,44 +10,36 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck @description = "Verifies that protect_from_forgery is enabled in direct subclasses of ActionController::Base" def run_check - if tracker.config.allow_forgery_protection? - csrf_warning :warning_code => :csrf_protection_disabled, - :message => "Forgery protection is disabled" + tracker.controllers + .select { |_, controller| controller.parent == :"ActionController::Base" } + .each do |name, controller| + if controller and not controller.protect_from_forgery? + csrf_warning :controller => name, + :warning_code => :csrf_protection_missing, + :message => "'protect_from_forgery' should be called in #{name}", + :file => controller.file, + :line => controller.top_line + elsif version_between? "4.0.0", "100.0.0" and forgery_opts = controller.options[:protect_from_forgery] + unless forgery_opts.is_a?(Array) and sexp?(forgery_opts.first) and + access_arg = hash_access(forgery_opts.first.first_arg, :with) and symbol? access_arg and + access_arg.value == :exception - elsif version_between? "2.1.0", "2.3.10" - cve_2011_0447 "2.3.11" - elsif version_between? "3.0.0", "3.0.3" - cve_2011_0447 "3.0.4" - else - tracker.controllers - .select { |_, controller| controller.parent == :"ActionController::Base" } - .each do |name, controller| - if controller and not controller.protect_from_forgery? - warn :controller => name, + args = { + :controller => name, :warning_type => "Cross-Site Request Forgery", - :warning_code => :csrf_protection_missing, - :message => "'protect_from_forgery' should be called in #{name}", - :confidence => CONFIDENCE[:high], - :file => controller.file, - :line => controller.top_line - elsif version_between? "4.0.0", "100.0.0" and forgery_opts = controller.options[:protect_from_forgery] - unless forgery_opts.is_a?(Array) and sexp?(forgery_opts.first) and - access_arg = hash_access(forgery_opts.first.first_arg, :with) and symbol? access_arg and - access_arg.value == :exception + :warning_code => :csrf_not_protected_by_raising_exception, + :message => "protect_from_forgery should be configured with 'with: :exception'", + :confidence => CONFIDENCE[:med], + :file => controller.file + } - args = { - :controller => name, - :warning_type => "Cross-Site Request Forgery", - :warning_code => :csrf_not_protected_by_raising_exception, - :message => "protect_from_forgery should be configured with 'with: :exception'", - :confidence => CONFIDENCE[:med], - :file => controller.file - } + args.merge!(:code => forgery_opts.first) if forgery_opts.is_a?(Array) - args.merge!(:code => forgery_opts.first) if forgery_opts.is_a?(Array) + csrf_warning args + end - csrf_warning args - end + if controller.options[:protect_from_forgery] + check_cve_2011_0447 end end end @@ -64,7 +56,20 @@ def csrf_warning opts warn opts end - def cve_2011_0447 new_version + def check_cve_2011_0447 + @warned_cve_2011_0447 ||= false + return if @warned_cve_2011_0447 + + if version_between? "2.1.0", "2.3.10" + new_version = "2.3.11" + elsif version_between? "3.0.0", "3.0.3" + new_version = "3.0.4" + else + return + end + + @warned_cve_2011_0447 = true # only warn once + csrf_warning :warning_code => :CVE_2011_0447, :message => "CSRF protection is flawed in unpatched versions of Rails #{rails_version} (CVE-2011-0447). Upgrade to #{new_version} or apply patches as needed", :gem_info => gemfile_or_environment, diff --git a/test/tests/rails3.rb b/test/tests/rails3.rb index f68d85fa94..f5a91f1e27 100644 --- a/test/tests/rails3.rb +++ b/test/tests/rails3.rb @@ -11,7 +11,7 @@ def report def expected @expected ||= { - :controller => 0, + :controller => 1, :model => 9, :template => 42, :generic => 75 @@ -384,14 +384,14 @@ def test_sql_injection_non_active_record_model end def test_csrf_protection - assert_warning :type => :warning, - :warning_code => 33, - :fingerprint => "cc7397ad174bf0da4629bf721183207781fa674909e811965fcde139eb177447", + assert_warning :type => :controller, + :warning_code => 7, + :fingerprint => "6f5239fb87c64764d0c209014deb5cf504c2c10ee424bd33590f0a4f22e01d8f", :warning_type => "Cross-Site Request Forgery", - :line => 49, - :message => /^CSRF\ protection\ is\ flawed\ in\ unpatched\ v/, + :line => 1, + :message => /^'protect_from_forgery'\ should\ be\ called\ /, :confidence => 0, - :relative_path => "Gemfile.lock", + :relative_path => "app/controllers/application_controller.rb", :user_input => nil end From b200bc871f9ff53fe526d87d9b34d072452513c9 Mon Sep 17 00:00:00 2001 From: Justin Collins Date: Tue, 18 Oct 2016 07:38:38 -0700 Subject: [PATCH 5/6] Useless code --- lib/brakeman/checks/check_forgery_setting.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/brakeman/checks/check_forgery_setting.rb b/lib/brakeman/checks/check_forgery_setting.rb index f827884c59..497f9acd32 100644 --- a/lib/brakeman/checks/check_forgery_setting.rb +++ b/lib/brakeman/checks/check_forgery_setting.rb @@ -49,8 +49,7 @@ def csrf_warning opts opts = { :controller => :ApplicationController, :warning_type => "Cross-Site Request Forgery", - :confidence => CONFIDENCE[:high], - :file => tracker.controllers[:ApplicationController].file + :confidence => CONFIDENCE[:high] }.merge opts warn opts From 5bbc529e440911c0cd22413346ffb18c4a6680d1 Mon Sep 17 00:00:00 2001 From: Justin Collins Date: Wed, 26 Oct 2016 21:31:19 -0700 Subject: [PATCH 6/6] Fix CVE-2011-0447 check move it outside of conditional --- lib/brakeman/checks/check_forgery_setting.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/brakeman/checks/check_forgery_setting.rb b/lib/brakeman/checks/check_forgery_setting.rb index 497f9acd32..e22543d600 100644 --- a/lib/brakeman/checks/check_forgery_setting.rb +++ b/lib/brakeman/checks/check_forgery_setting.rb @@ -38,9 +38,10 @@ def run_check csrf_warning args end - if controller.options[:protect_from_forgery] - check_cve_2011_0447 - end + end + + if controller.options[:protect_from_forgery] + check_cve_2011_0447 end end end