Background
Brakeman version: 8.0.2
Rails version: 8.1.2
Ruby version: 4.0.1
Link to Rails application code: https://github.com/stringer-rss/stringer
Issue
When an application uses module shorthand syntax, Brakeman reports a false positive for "Cross-Site Request Forgery". Full warning from Brakeman:
[High] Cross-Site Request Forgery: protect_from_forgery should be called in ApplicationController (app/controllers/application_controller.rb:3)
Relevant code in config/application.rb:
class Stringer::Application < Rails::Application
config.load_defaults(8.0)
end
When I expand this to the following, the warning goes away:
module Stringer
class Application < Rails::Application
config.load_defaults(8.0)
end
end
Background
Brakeman version: 8.0.2
Rails version: 8.1.2
Ruby version: 4.0.1
Link to Rails application code: https://github.com/stringer-rss/stringer
Issue
When an application uses module shorthand syntax, Brakeman reports a false positive for "Cross-Site Request Forgery". Full warning from Brakeman:
Relevant code in config/application.rb:
When I expand this to the following, the warning goes away: