Background
Brakeman version: ? 5.4.0
Rails version: ? 6.0
Ruby version: ? 2.7
Link to Rails application code: closed-source
False Positive
When:
load_defaults is NOT presentdefault_protect_from_forgery is NOT configured anywhere
Full warning from Brakeman:
No warning, but there should be a security warning generated by checks/check_forgery_setting.rb.
Relevant code:
# these lines are MISSING from your config
# load_defaults 5.2
# Rails.application.config.action_controller.default_protect_from_forgery = nil
Why might this be a false negative?
Because by default a Rails 6 app does NOT have protect for forgery enabled unless load_defaults 5.2 or higher is used...
> Rails.application.config.action_controller.default_protect_from_forgery
=> nil
> ApplicationController.default_protect_from_forgery
=> false
The logic for this check assumes that defaults are tied to the Rails version number only... but this is untrue, they are based on the actual underlying defaults of Rails (often nil) PLUS the load_defaults one is using - and it's entirely possible (though perhaps ill-advised) not to use load_defaults at all.
Background
Brakeman version: ? 5.4.0
Rails version: ? 6.0
Ruby version: ? 2.7
Link to Rails application code: closed-source
False Positive
When:
load_defaultsis NOT presentdefault_protect_from_forgeryis NOT configured anywhereFull warning from Brakeman:
No warning, but there should be a security warning generated by
checks/check_forgery_setting.rb.Relevant code:
Why might this be a false negative?
Because by default a Rails 6 app does NOT have protect for forgery enabled unless
load_defaults 5.2or higher is used...The logic for this check assumes that defaults are tied to the Rails version number only... but this is untrue, they are based on the actual underlying defaults of Rails (often nil) PLUS the
load_defaultsone is using - and it's entirely possible (though perhaps ill-advised) not to use load_defaults at all.