False Positive CSRF Warning for RAILS LTS 4.2.11.20

[james-burkill]

Background

We are running Rails LTS version 4.2.11.20 and Brakeman is reporting a CSRF vulnerability warning. While no CVE id is provided in the warning, the closest match I can find in known vulnerabilities for vanilla Rails is CVE-2020-8166, which RailsLTS says does not affect v4.2 of LTS or any of their other supported Rails versions.

Brakeman version: 5.0.0 Rails version: 4.2.11.20 (RailsLTS) Ruby version: 2.5.9

Link to Rails application code: N/A

False Positive

Full warning from Brakeman: Confidence: Medium Category: Cross-Site Request Forgery Check: CSRFTokenForgeryCVE Message: Rails 4.2.11.20 has a vulnerability that may allow CSRF token forgery. Upgrade to Rails 5.2.4.3 or patch File: Gemfile.lock Line: 586

Relevant code:

Gemfile.lock

Line 586 contains this: rails (4.2.11.20)

Why might this be a false positive? CVE-2020-8166 is listed as not affecting RailsLTS v 4.2 and RailsLTS tell us they're unaware of any known vulnarabilities in RailsLTS v4.2.11.20.

`CVE-2020-8166

Rails 2.3 LTS is not affected. Rails 3.2 LTS is not affected. Rails 4.2 LTS is not affected.` https://makandracards.com/railslts/474590-list-of-cves-addressed-by-rails-lts

[presidentbeef]

Thank you for reporting!

Brakeman isn't really up-to-date on RailsLTS versions.

[michaelglass]

howdy @jamesburkill-sage if you want to cut a PR to fix this, here's the last attempt:

https://github.com/presidentbeef/brakeman/pull/481