False positive for protect_from_forgery on Rails 5.2

[rmehner]

Background

Brakeman version: 4.0.1
Rails version: 5.2.0.beta.2
Ruby version: 2.4.1

Link to Rails application code:

There is no link, but scaffolding a new project with rails new projectName is enough to reproduce this.

Issue

False Positive

Full warning from Brakeman:

== Warnings ==

Confidence: High
Category: Cross-Site Request Forgery
Check: ForgerySetting
Message: 'protect_from_forgery' should be called in ApplicationController
File: app/controllers/application_controller.rb
Line: 1

Why might this be a false positive?

The new default for Rails 5.2 is to set it via the Rails config:

# config/initializers/new_framework_defaults_5_2.rb
Rails.application.config.action_controller.default_protect_from_forgery = true

So it's completely fine if you don't have protect_from_forgery set in your ApplicationController, if this is set to true.

Thank you all around for your work on this, helped me to catch a couple of things in several projects already, woop!

[presidentbeef]

Hi Robin,

Interesting, thanks!

[rmehner]

Thanks @presidentbeef for fixing this 🙏