25 lines
1.1 KiB
Plaintext
25 lines
1.1 KiB
Plaintext
{
|
|
"ignored_warnings": [
|
|
{
|
|
"warning_type": "Cross-Site Request Forgery",
|
|
"warning_code": 7,
|
|
"fingerprint": "59d73ce0b791aa7ed532510c780235a8b23f7cd1246dbf9da258e36f5d1e2b0a",
|
|
"message": "'protect_from_forgery' should be called in Api::V2::RestfulController",
|
|
"file": "app/controllers/api/v2/restful_controller.rb",
|
|
"line": 4,
|
|
"link": "http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery/",
|
|
"code": null,
|
|
"render_path": null,
|
|
"location": {
|
|
"type": "controller",
|
|
"controller": "Api::V2::RestfulController"
|
|
},
|
|
"user_input": null,
|
|
"confidence": "High",
|
|
"note": "Cookie-based auth is disabled for the API except for the tokens endpoint. We're hoping this is sufficiently secure, because CSRF-forged links might get clicked on another site, but the generated tokens won't go back to the attacker. Also, an attacker would need a token to delete it, which means they've got access at that point anyways. - Devin, Feb 2017"
|
|
}
|
|
],
|
|
"updated": "2017-02-11 20:00:09 -0800",
|
|
"brakeman_version": "3.4.1"
|
|
}
|