You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Confidence: High
Category: Cross-Site Request Forgery
Check: ForgerySetting
Message: `protect_from_forgery` should be called in `ApplicationController`
File: app/controllers/application_controller.rb
Line: 6
Relevant code:
# in config/application.rbconfig.load_defaults"7.0"
It's interesting that Rails itself generates number literals for the version and that's what's in all the documentation, but then the actual code uses strings. 🤷
Background
Brakeman version: 6.0.0
Rails version: 7.0.6
Ruby version: 3.2.2
False Positive
Full warning from Brakeman:
Relevant code:
This looks like a false positive because
load_defaults
always loads the defaults for the given version and the previous versions.And the value for
default_protect_from_forgery
is by defaulttrue
since rails version 5.2, soload_defaults "7.0"
should be enough.I've also inspected the
ApplicationController.default_protect_from_forgery
from the rails console and it returnstrue
.The text was updated successfully, but these errors were encountered: