Skip to content

Commit 71c5711

Browse files
alexrfordalexrford
committed
Ruby: add some rb/weak-cookie-configuration tests
1 parent 8976469 commit 71c5711

File tree

3 files changed

+43
-0
lines changed

3 files changed

+43
-0
lines changed

ruby/ql/test/query-tests/security/cwe-732/WeakCookieConfiguration.expected

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
| app/config/application.rb:14:5:14:50 | call to encrypted_cookie_cipher= | DES is a weak cipher. |
2+
| app/config/application.rb:17:5:17:50 | call to encrypted_cookie_cipher= | AES-256-ECB is a weak cipher. |
3+
| app/config/application.rb:23:5:23:62 | call to use_authenticated_cookie_encryption= | use_authenticated_cookie_encryption=false selects a weaker block mode for authenticated cookies. |
4+
| app/config/application.rb:32:5:32:55 | call to cookies_same_site_protection= | Setting 'SameSite' to 'None' may make an application more vulnerable to CSRF attacks. |
5+
| app/config/application.rb:35:5:35:55 | call to cookies_same_site_protection= | Unsetting 'SameSite' can disable same-site cookie restrictions in some browsers. |

ruby/ql/test/query-tests/security/cwe-732/WeakCookieConfiguration.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
queries/security/cwe-732/WeakCookieConfiguration.ql

ruby/ql/test/query-tests/security/cwe-732/app/config/application.rb

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
require 'rails'
2+
3+
module App
4+
class Application < Rails::Application
5+
config.load_defaults 6.0
6+
7+
# GOOD: strong cipher
8+
config.action_dispatch.encrypted_cookie_cipher = "aes-256-gcm"
9+
10+
# GOOD: strong cipher
11+
config.action_dispatch.encrypted_cookie_cipher = "ChaCha"
12+
13+
# BAD: weak block encryption algorithm
14+
config.action_dispatch.encrypted_cookie_cipher = "DES"
15+
16+
# BAD: weak block encryption mode
17+
config.action_dispatch.encrypted_cookie_cipher = "AES-256-ECB"
18+
19+
# GOOD
20+
config.action_dispatch.use_authenticated_cookie_encryption = true
21+
22+
# BAD: less secure block encryption mode
23+
config.action_dispatch.use_authenticated_cookie_encryption = false
24+
25+
# GOOD
26+
config.action_dispatch.cookies_same_site_protection = :lax
27+
28+
# GOOD
29+
config.action_dispatch.cookies_same_site_protection = "strict"
30+
31+
# BAD: disabling same-site protections for sending cookies
32+
config.action_dispatch.cookies_same_site_protection = :none
33+
34+
# BAD: not all browsers default to `lax` if unset
35+
config.action_dispatch.cookies_same_site_protection = nil
36+
end
37+
end

0 commit comments

Comments
 (0)