qhelp for rb/csrf-protection-disabled

alexrford · alexrford · commit d324f9397c12 · 2021-11-04T19:56:56.000Z
diff --git a/ruby/ql/src/queries/security/cwe-352/CSRFProtectionDisabled.qhelp b/ruby/ql/src/queries/security/cwe-352/CSRFProtectionDisabled.qhelp
@@ -0,0 +1,62 @@
+<!DOCTYPE qhelp PUBLIC
+ "-//Semmle//qhelp//EN"
+ "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>
+      Cross-site request forgery (CSRF) is a type of vulnerability in which an
+      attacker  is able to force a user carry out an action that the user did
+      not intend. This may allow the attacker to perform actions on behalf of
+      the targeted user.
+    </p>
+
+    <p>
+      The attacker tricks an authenticated user into submitting a request to the
+      web application. Typically this request will result in a state change on
+      the server, such as changing the user's password. The request can be
+      initiated when the user visits a site controlled by the attacker. If the
+      web application relies only on cookies for authentication, or on other
+      credentials that are automatically included in the request, then this
+      request will appear as legitimate to the server.
+    </p>
+
+    <p>
+      A common countermeasure for CSRF is to generate a unique token to be
+      included in the HTML sent from the server to a user. This token can be
+      used as a hidden field to be sent back with requests to the server, where
+      the server can then check that the token is valid and associated with the
+      relevant user session.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>
+      In many web frameworks, CSRF protection is enabled by default. In these
+      cases, using the default configuration is sufficient to guard against most
+      CSRF attacks.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>
+      The following example shows a case where forgery protection is disabled by
+      skipping token verification.
+    </p>
+
+    <sample src="examples/UsersController.rb"/>
+
+    <p>
+      Verification can be re-enabled by removing the call to
+      <code>skip_before_action</code>.
+    </p>
+
+  </example>
+
+  <references>
+    <li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery">Cross-site request forgery</a></li>
+    <li>OWASP: <a href="https://owasp.org/www-community/attacks/csrf">Cross-site request forgery</a></li>
+    <li>Securing Rails Applications: <a href="https://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf">Cross-Site Request Forgery (CSRF)</a></li>
+  </references>
+
+</qhelp>
diff --git a/ruby/ql/src/queries/security/cwe-352/examples/UsersController.rb b/ruby/ql/src/queries/security/cwe-352/examples/UsersController.rb
@@ -0,0 +1,3 @@
+class UsersController < ApplicationController
+  skip_before_action :verify_authenticity_token
+end

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+class UsersController < ApplicationController`
	`2`	`+ skip_before_action :verify_authenticity_token`
	`3`	`+end`