Warning when `protected_from_forgery` is mixed in. #958

merged 1 commit into from Nov 29, 2016


None yet

2 participants

louim commented Nov 7, 2016

Hi! since #953 was merged in, we started to see 'protect_from_forgery' should be called in ... in our controllers that were not inheriting from the ApplicationController.

I had a look, and it seems that it's because we are mixin in the protect_form_forgery in those controllers. I added a failing test case that should normally not generate a warning. My knowledge of the Brakeman codebase was not enough for me to create a fix.

Let me know if I can do anything else to help!

@louim louim Add a false positive test when "protect_form_forgery" is mixed in. 8d6f92a

Hi Louis-Michel,

Thank you for the nice test case! I will see about fixing this.

@presidentbeef presidentbeef added a commit that referenced this pull request Nov 28, 2016
@presidentbeef Process Concerns in controllers
Fixes #958
@presidentbeef presidentbeef merged commit 8d6f92a into presidentbeef:master Nov 29, 2016

1 check failed

continuous-integration/travis-ci/pr The Travis CI build failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment