sobelow_skip ["Config.CSRF"] doesn't workΒ #178
Description
It looks like # sobelow_skip ["Config.CSRF"] on a pipeline in a Phoenix router doesn't actually make sobelow skip this check for that pipeline.
Steps to reproduce this issue
- Create a new
phoenixapp. - Remove
plug :protect_from_forgeryfrom the:browserpipeline. - Add
# sobelow_skip ["Config.CSRF"]abovepipeline :browser do. - Run
mix sobelow --skip.
Current behavior
The check fails with a Config.CSRF error.
Expected behavior
The check should respect sobelow_skip and not fail for that specific pipeline.
Context
In some cases we need to have a pipeline without plug :protect_from_forgery. Even though Plug.CSRFProtection has a way of skipping CSRF protection for a specific route, they instead recommend that we use a different stack of plugs for that route that does not include Plug.CSRFProtection.
Workaround
We can use the .sobelow-skips file as a workaround. However, this seems to be unreliable on CI environments. Hence, I think it would be a good idea to ignore a pipeline with # sobelow_skip ["Config.CSRF"].