Fix default cross-site request forgery setting when defaults are not loaded

[presidentbeef]

Follow up from #1530, adding a test.

Should fix #1773

[joshgoebel]

Yes, I think this inversion on the conditional would fix it! Thanks!

[MaksJS]

I've got a regression with this one on Rails 7. Rails.configuration.action_controller.default_protect_from_forgery is true and I get the Cross-Site Request Forgery warning. Maybe, at some point, the value of default_protect_from_forgery is not passed to the tracker config when not inlined in the configuration file (true is the default value).

[joshgoebel]

Where else are you setting the configuration? I guess I'd expect it to run part of the init to get the values - but does it only do static analysis?

[presidentbeef]

For security reasons, Brakeman does not run any of the code it analyzes.

@MaksJS Where is default_protect_from_forgery set in your application? Is it in an initializer?

[MaksJS]

@joshgoebel @presidentbeef Nowhere, it's true by default so I don't set it again in the config

[joshgoebel]

t's true by default

So you're using load_defaults?

[MaksJS]

@joshgoebel Yes

[presidentbeef]

@MaksJS I cannot reproduce your issue.

This is what the Rails 7 test app looks like:

module Rails7
  class Application < Rails::Application
    # Initialize configuration defaults for originally generated Rails version.
    config.load_defaults 7.0

It's very hard to guess at the issue. Please share the warning you are getting what your code looks like. Even better, share an example Rails application that demonstrates the issue. Thanks!

[MaksJS]

@presidentbeef Ok I was able to reproduce it. You're right, with a brand new Rails 7 application it works well.
But on my case, I'm developing a Rails Engine with a dummy application, which have this configuration by default:

module Dummy
  class Application < Rails::Application
    config.load_defaults Rails::VERSION::STRING.to_f
  end

This configuration is generated by this template: https://github.com/rails/rails/blob/main/railties/lib/rails/generators/rails/app/templates/config/application.rb.tt#L15

In this case, I get the Cross-Site Request Forgery warning with Brakeman 6.0.0.

[presidentbeef]

Ah. In that case Brakeman cannot know for which version of Rails to load the defaults. What version would you expect it to use? Is there a Gemfile.lock with a specific version?

[MaksJS]

Well, Rails::VERSION::STRING.to_f would evaluate to 7.0 here. You can also get the version number with Rails.configuration.loaded_config_version, so maybe it can be available in tracker.config.rails.dig(:loaded_config_version). Or maybe not if the app config is never evaluated, which seems to be the case if I understand correctly this method

brakeman/lib/brakeman/tracker/config.rb

Line 75 in 6af53c6

def set_rails_version version = nil

But yes there is an entry in Gemfile.lock: rails (~> 7.0.5).

And I correctly get the version number in the report:

[Notice] Detected Rails 7 application
....
Rails Version: 7.0.5
Brakeman Version: 6.0.0
....
== Warnings ==

Confidence: High
Category: Cross-Site Request Forgery
....

[joevin-slq-docto]

Hello,
I'm using Rails 7 with config.load_defaults 6.0 inside application.rb.
Rails console confirms me that Rails.configuration.action_controller.default_protect_from_forgery is set to true but I get the Cross-Site Request Forgery warning since I upgraded to Brakeman 6.0.0.