New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix default cross-site request forgery setting when defaults are not loaded #1776
Fix default cross-site request forgery setting when defaults are not loaded #1776
Conversation
…r/brakeman into montdidier-hotfix/rails_52_if_no_defaults
Yes, I think this inversion on the conditional would fix it! Thanks! |
I've got a regression with this one on Rails 7. |
Where else are you setting the configuration? I guess I'd expect it to run part of the init to get the values - but does it only do static analysis? |
For security reasons, Brakeman does not run any of the code it analyzes. @MaksJS Where is |
@joshgoebel @presidentbeef Nowhere, it's |
So you're using |
@joshgoebel Yes |
@MaksJS I cannot reproduce your issue. This is what the Rails 7 test app looks like: module Rails7
class Application < Rails::Application
# Initialize configuration defaults for originally generated Rails version.
config.load_defaults 7.0 It's very hard to guess at the issue. Please share the warning you are getting what your code looks like. Even better, share an example Rails application that demonstrates the issue. Thanks! |
@presidentbeef Ok I was able to reproduce it. You're right, with a brand new Rails 7 application it works well. module Dummy
class Application < Rails::Application
config.load_defaults Rails::VERSION::STRING.to_f
end This configuration is generated by this template: https://github.com/rails/rails/blob/main/railties/lib/rails/generators/rails/app/templates/config/application.rb.tt#L15 In this case, I get the |
Ah. In that case Brakeman cannot know for which version of Rails to load the defaults. What version would you expect it to use? Is there a |
Well, brakeman/lib/brakeman/tracker/config.rb Line 75 in 6af53c6
But yes there is an entry in And I correctly get the version number in the report:
|
Hello, |
Follow up from #1530, adding a test.
Should fix #1773