New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False positive for protect_from_forgery on Rails 5.2 #1132

Closed
rmehner opened this Issue Dec 4, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@rmehner

rmehner commented Dec 4, 2017

Background

Brakeman version: 4.0.1
Rails version: 5.2.0.beta.2
Ruby version: 2.4.1

Link to Rails application code:

There is no link, but scaffolding a new project with rails new projectName is enough to reproduce this.

Issue

False Positive

Full warning from Brakeman:

== Warnings ==

Confidence: High
Category: Cross-Site Request Forgery
Check: ForgerySetting
Message: 'protect_from_forgery' should be called in ApplicationController
File: app/controllers/application_controller.rb
Line: 1

Why might this be a false positive?

The new default for Rails 5.2 is to set it via the Rails config:

# config/initializers/new_framework_defaults_5_2.rb
Rails.application.config.action_controller.default_protect_from_forgery = true

So it's completely fine if you don't have protect_from_forgery set in your ApplicationController, if this is set to true.

Thank you all around for your work on this, helped me to catch a couple of things in several projects already, woop!

@presidentbeef

This comment has been minimized.

Show comment
Hide comment
@presidentbeef

presidentbeef Dec 4, 2017

Owner

Hi Robin,

Interesting, thanks!

Owner

presidentbeef commented Dec 4, 2017

Hi Robin,

Interesting, thanks!

@rmehner

This comment has been minimized.

Show comment
Hide comment
@rmehner

rmehner Dec 9, 2017

Thanks @presidentbeef for fixing this 🙏

rmehner commented Dec 9, 2017

Thanks @presidentbeef for fixing this 🙏

Repository owner locked and limited conversation to collaborators Feb 6, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.