search

nccgroup / sobelow

Security-focused static analysis for the Phoenix Framework
Apache License 2.0
1.67k stars 92 forks source link

CSRF Check #20

Closed veverkap closed 7 years ago

veverkap commented 7 years ago

According to Plug docs, the :protect_from_forgery plug accepts the following options:

Options

* `:session_key` - the name of the key in session to store the token under
* `:with` - should be one of `:exception` or `:clear_session`. Defaults to
`:exception`.
  * `:exception` -  for invalid requests, this plug will raise
  `Plug.CSRFProtection.InvalidCSRFTokenError`.
  * `:clear_session` -  for invalid requests, this plug will set an empty
  session for only this request. Also any changes to the session during this
  request will be ignored.

When we ran against our codebase using :session_key we got a false error. This PR adjusts the match in the utlis.ex to allow options.

GriffinMB commented 7 years ago

Thanks for the PR! And the first public tests :)