CodeQL: weakened CSRF protection in ApplicationController (rb/csrf-protection-disabled)

[compwron]

CodeQL flagged a high-severity warning on main: code-scanning alert #60 — rb/csrf-protection-disabled (CWE-352).

Where

app/controllers/application_controller.rb:7

class ApplicationController < ActionController::Base
  ...
  protect_from_forgery
  ...
end

Why CodeQL flags it

Calling protect_from_forgery with no with: argument downgrades the failure mode to with: :null_session instead of the safer Rails 5+ default of with: :exception. From the CodeQL guidance:

Care should be taken when using the Rails protect_from_forgery method to prevent CSRF. The default behaviour of this method is to null the session when an invalid CSRF token is provided. This may not be sufficient to avoid a CSRF vulnerability — for example if parts of the session are memoized. … Note this remains true even in Rails version 5 and later: these versions automatically run protect_from_forgery with: :exception by default, but manually calling protect_from_forgery with no with argument will still downgrade protection to provide an empty session rather than raise an exception.

See also: Veracode — When Rails' protect_from_forgery Fails.

Suggested fix

One of:

1. Remove the explicit call — ActionController::Base already enables protect_from_forgery with: :exception by default in Rails 5+, so the line on its own is actively weakening the default.
2. Or be explicit — change to protect_from_forgery with: :exception if we want the call to remain for clarity.

Option 1 is the smaller diff; option 2 is more self-documenting. Either resolves the alert.

Verification

• Update app/controllers/application_controller.rb
• Run the controller/request specs (anything that posts forms or uses CSRF tokens)
• Confirm CodeQL alert Admin view volunteers #32 #60 auto-closes after the next scan on main