Ruby: enable forgery protection checks for development environments

alexrford · alexrford · commit 68c3c16ab34b · 2021-11-22T15:00:32.000Z
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Rails.qll b/ruby/ql/lib/codeql/ruby/frameworks/Rails.qll
@@ -106,10 +106,10 @@ private predicate hasBooleanValue(DataFlow::Node node, boolean value) {
 
 // `<actionControllerConfig>.allow_forgery_protection = <verificationSetting>`
 private DataFlow::CallNode getAnAllowForgeryProtectionCall(boolean verificationSetting) {
-  // exclude some test and development configuration
+  // exclude some test configuration
   not (
     result.getLocation().getFile().getRelativePath().matches("%test/%") or
-    result.getLocation().getFile().getStem() = ["test", "development"]
+    result.getLocation().getFile().getStem() = "test"
   ) and
   result.getReceiver() instanceof ActionControllerConfigNode and
   result.asExpr().getExpr().(MethodCall).getMethodName() = "allow_forgery_protection=" and
diff --git a/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionDisabled.expected b/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionDisabled.expected
@@ -1,3 +1,4 @@
 | railsapp/app/controllers/users_controller.rb:4:3:4:47 | call to skip_before_action | Potential CSRF vulnerability due to forgery protection being disabled. |
 | railsapp/config/application.rb:15:5:15:53 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled. |
+| railsapp/config/environments/development.rb:5:3:5:51 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled. |
 | railsapp/config/environments/production.rb:5:3:5:51 | call to allow_forgery_protection= | Potential CSRF vulnerability due to forgery protection being disabled. |
