Ruby: Make CSRF query more sensitive

hmac · hmac · commit 6d6f8ba512b4 · 2024-02-23T11:13:15.000Z
Generate an alert for every controller class that doesn't have or
inherity a `protect_from_forgery` setting.
diff --git a/ruby/ql/src/queries/security/cwe-352/CSRFProtectionNotEnabled.ql b/ruby/ql/src/queries/security/cwe-352/CSRFProtectionNotEnabled.ql
@@ -15,9 +15,17 @@ import codeql.ruby.AST
 import codeql.ruby.Concepts
 import codeql.ruby.frameworks.ActionController
 
-from ActionController::RootController c
-where
-  not exists(ActionController::ProtectFromForgeryCall call |
-    c.getSelf().flowsTo(call.getReceiver())
-  )
-select c, "Potential CSRF vulnerability due to forgery protection not being enabled"
+/**
+ * Holds if a call to `protect_from_forgery` is made in the controller class `definedIn`,
+ * which is inherited by the controller class `child`.
+ */
+private predicate protectFromForgeryCall(
+  ActionControllerClass definedIn, ActionControllerClass child,
+  ActionController::ProtectFromForgeryCall call
+) {
+  definedIn.getSelf().flowsTo(call.getReceiver()) and child = definedIn.getADescendent()
+}
+
+from ActionControllerClass c
+where not protectFromForgeryCall(_, c, _)
+select c, "Potential CSRF vulnerability due to forgery protection not being enabled."
diff --git a/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionNotEnabled.expected b/ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionNotEnabled.expected
@@ -1 +1,2 @@
-| railsapp/app/controllers/alternative_root_controller.rb:1:1:3:3 | AlternativeRootController | Potential CSRF vulnerability due to forgery protection not being enabled |
+| railsapp/app/controllers/alternative_root_controller.rb:1:1:3:3 | AlternativeRootController | Potential CSRF vulnerability due to forgery protection not being enabled. |
+| railsapp/app/controllers/tags_controller.rb:1:1:2:3 | TagsController | Potential CSRF vulnerability due to forgery protection not being enabled. |
diff --git a/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/subscriptions_controller.rb b/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/subscriptions_controller.rb
@@ -0,0 +1,3 @@
+class SubscriptionsController < AlternativeRootController
+    protect_from_forgery with: :exception
+end
diff --git a/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/tags_controller.rb b/ruby/ql/test/query-tests/security/cwe-352/railsapp/app/controllers/tags_controller.rb
@@ -0,0 +1,2 @@
+class TagsController < AlternativeRootController
+end

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-\| railsapp/app/controllers/alternative_root_controller.rb:1:1:3:3 \| AlternativeRootController \| Potential CSRF vulnerability due to forgery protection not being enabled \|`
	`1`	`+\| railsapp/app/controllers/alternative_root_controller.rb:1:1:3:3 \| AlternativeRootController \| Potential CSRF vulnerability due to forgery protection not being enabled. \|`
	`2`	`+\| railsapp/app/controllers/tags_controller.rb:1:1:2:3 \| TagsController \| Potential CSRF vulnerability due to forgery protection not being enabled. \|`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+class SubscriptionsController < AlternativeRootController`
	`2`	`+ protect_from_forgery with: :exception`
	`3`	`+end`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+class TagsController < AlternativeRootController`
	`2`	`+end`