test cases for rb/csrf-protection-disabled

Author: alexrford

ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionDisabled.expected

@@ -0,0 +1,3 @@
+| railsapp/app/controllers/users_controller.rb:4:3:4:47 | call to skip_before_action | Potential CSRF vulnerability due to forgery protection being disabled. |
+| railsapp/config/application.rb:15:5:15:53 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled. |
+| railsapp/config/environments/production.rb:5:3:5:51 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled. |

ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionDisabled.qlref

@@ -0,0 +1 @@
+queries/security/cwe-352/CSRFProtectionDisabled.ql

ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/application_controller.rb

@@ -0,0 +1,2 @@
+class ApplicationController < ActionController::Base
+end

ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/users_controller.rb

@@ -0,0 +1,11 @@
+class UsersController < ApplicationController
+
+  # BAD: Disabling forgery protection may open the application to CSRF attacks
+  skip_before_action :verify_authenticity_token
+
+  def change_email
+    user = User.find_by(name: params[:user_name])
+    user.email = params[:new_email]
+    user.save!
+  end
+end

ruby/ql/test/query-tests/security/cwe-352/railsapp/config/application.rb

@@ -0,0 +1,17 @@
+require_relative 'boot'
+
+require 'rails/all'
+
+# Require the gems listed in Gemfile, including any gems
+# you've limited to :test, :development, or :production.
+Bundler.require(*Rails.groups)
+
+module Railsapp
+  class Application < Rails::Application
+    # Initialize configuration defaults for originally generated Rails version.
+    config.load_defaults 6.0
+
+    # BAD: Disabling forgery protection may open the application to CSRF attacks
+    config.action_controller.allow_forgery_protection = false
+  end
+end

ruby/ql/test/query-tests/security/cwe-352/railsapp/config/environment.rb

@@ -0,0 +1,5 @@
+# Load the Rails application.
+require_relative 'application'
+
+# Initialize the Rails application.
+Rails.application.initialize!

ruby/ql/test/query-tests/security/cwe-352/railsapp/config/environments/development.rb

@@ -0,0 +1,6 @@
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # GOOD: disabling CSRF protection in the development environment should not be flagged
+  config.action_controller.allow_forgery_protection = false
+end

ruby/ql/test/query-tests/security/cwe-352/railsapp/config/environments/production.rb

@@ -0,0 +1,6 @@
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # BAD: Disabling forgery protection may open the application to CSRF attacks
+  config.action_controller.allow_forgery_protection = false
+end

ruby/ql/test/query-tests/security/cwe-352/railsapp/config/environments/test.rb

@@ -0,0 +1,11 @@
+# The test environment is used exclusively to run your application's
+# test suite. You never need to work with it otherwise. Remember that
+# your test database is "scratch space" for the test suite and is wiped
+# and recreated between test runs. Don't rely on the data there!
+
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # GOOD: disabling CSRF protection in the test environment should not be flagged
+  config.action_controller.allow_forgery_protection = false
+end

ruby/ql/test/query-tests/security/cwe-352/railsapp/test/controllers/users_controller_test.rb

@@ -0,0 +1,8 @@
+require "test_helper"
+
+class UsersControllerTest < ActiveSupport::TestCase
+  setup do
+    # GOOD: disabling CSRF protection in tests should not be flagged
+    config.action_controller.allow_forgery_protection = false
+  end
+end