Cross-site request forgery (CSRF) protection missing
Description
The controller does not enable cross-site request forgery protections using `protect_from_forgery`. This vulnerability can allow attackers to submit unauthorized requests on behalf of authenticated users, potentially leading to unauthorized actions being performed.
Examples
Insecure Code
ruby
class YourController < ApplicationController
# Your controller actions here
endSecure Code
ruby
class YourController < ApplicationController
protect_from_forgery with: :exception
# Your controller actions here
endRemediation
Add `protect_from_forgery with: :exception` to your controller class.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0523 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-352 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | csrf, rails |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |
References
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/lang/security/missing-csrf-protection.yaml
- https://owasp.org/www-community/attacks/csrf
- https://owasp.org/Top10/A01_2021-Broken_Access_Control