False positive for protect_from_forgery when defaults for rails 7 are used

[Pritilender]

Background

Brakeman version: 6.0.0
Rails version: 7.0.6
Ruby version: 3.2.2

False Positive

Full warning from Brakeman:

Confidence: High
Category: Cross-Site Request Forgery
Check: ForgerySetting
Message: `protect_from_forgery` should be called in `ApplicationController`
File: app/controllers/application_controller.rb
Line: 6

Relevant code:

# in config/application.rb
config.load_defaults "7.0"

This looks like a false positive because load_defaults always loads the defaults for the given version and the previous versions.
And the value for default_protect_from_forgery is by default true since rails version 5.2, so load_defaults "7.0" should be enough.

I've also inspected the ApplicationController.default_protect_from_forgery from the rails console and it returns true.

[presidentbeef]

Yes, this is the same as #1783

It's interesting that Rails itself generates number literals for the version and that's what's in all the documentation, but then the actual code uses strings. 🤷