Ruby: add test for protect_from_forgery without exception strategy

alexrford · alexrford · commit c1a51d94a2b2 · 2022-01-17T17:44:52.000Z
diff --git a/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionDisabled.expected b/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionDisabled.expected
@@ -1,4 +1,5 @@
-| railsapp/app/controllers/users_controller.rb:4:3:4:47 | call to skip_before_action | Potential CSRF vulnerability due to forgery protection being disabled. |
-| railsapp/config/application.rb:15:5:15:53 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled. |
-| railsapp/config/environments/development.rb:5:3:5:51 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled. |
-| railsapp/config/environments/production.rb:5:3:5:51 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled. |
+| railsapp/app/controllers/application_controller.rb:5:3:5:22 | call to protect_from_forgery | Potential CSRF vulnerability due to forgery protection being disabled or weakened. |
+| railsapp/app/controllers/users_controller.rb:4:3:4:47 | call to skip_before_action | Potential CSRF vulnerability due to forgery protection being disabled or weakened. |
+| railsapp/config/application.rb:15:5:15:53 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled or weakened. |
+| railsapp/config/environments/development.rb:5:3:5:51 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled or weakened. |
+| railsapp/config/environments/production.rb:5:3:5:51 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled or weakened. |
diff --git a/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/application_controller.rb b/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/application_controller.rb
@@ -1,2 +1,20 @@
 class ApplicationController < ActionController::Base
+
+  # BAD: `protect_from_forgery` without `with: :exception` can expose an
+  # application to CSRF attacks in some circumstances
+  protect_from_forgery
+
+  before_action authz_guard
+
+  def current_user
+    @current_user ||= User.find_by_id(session[:user_id])
+  end
+
+  def logged_in?
+    !current_user.nil?
+  end
+
+  def authz_guard
+    render(plain: "not logged in") unless logged_in?
+  end
 end
diff --git a/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/articles_controller.rb b/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/articles_controller.rb
@@ -0,0 +1,15 @@
+class ArticlesController < ApplicationController
+  prepend_before_action :user_authored_article?, only: [:delete_authored_article]
+
+  def delete_authored_article
+    article.destroy
+  end
+
+  def article
+    @article ||= Article.find(params[:article_id])
+  end
+
+  def user_authored_article?
+    @article.author_id = current_user.id
+  end
+end
diff --git a/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/users_controller.rb b/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/users_controller.rb
@@ -4,7 +4,7 @@ class UsersController < ApplicationController
   skip_before_action :verify_authenticity_token
 
   def change_email
-    user = User.find_by(name: params[:user_name])
+    user = current_user
     user.email = params[:new_email]
     user.save!
   end
