v15.18.0#2496
Conversation
| @@ -1,5 +1,6 @@ | |||
| class DashboardController < ApplicationController | |||
| before_action :set_global_config | |||
| skip_before_action :verify_authenticity_token, only: [:csp_reports] | |||
Check failure
Code scanning / CodeQL
CSRF protection weakened or disabled High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 months ago
To fix the potential CSRF vulnerability, we should remove the line that disables CSRF protection (skip_before_action :verify_authenticity_token, only: [:csp_reports]) from the DashboardController. This will restore the default CSRF protection provided by Rails and ensure that all actions, including csp_reports, require valid CSRF tokens. If there is a valid need to allow CSRF-exempt endpoints, a more secure approach should be taken (such as limiting the action format to JSON, authenticating requests, or whitelisting trusted sources; but that is outside the scope since we only have the provided snippet). Remove line 3 from app/controllers/dashboard_controller.rb.
| @@ -1,6 +1,5 @@ | ||
| class DashboardController < ApplicationController | ||
| before_action :set_global_config | ||
| skip_before_action :verify_authenticity_token, only: [:csp_reports] | ||
| layout "dashboard" | ||
|
|
||
| # === THESE CONSTANTS ARE CONFIGURABLE: === |
No description provided.