31 lines
1.5 KiB
YAML
31 lines
1.5 KiB
YAML
rules:
|
|
- id: symfony-csrf-protection-disabled
|
|
patterns:
|
|
- pattern-either:
|
|
- pattern: $X->createForm($TYPE, $TASK, [..., 'csrf_protection' => false, ...], ...)
|
|
- pattern: $X->prependExtensionConfig('framework', [..., 'csrf_protection' => false, ...], ...)
|
|
- pattern: $X->loadFromExtension('framework', [..., 'csrf_protection' => false, ...], ...)
|
|
- pattern: $X->setDefaults([..., 'csrf_protection' => false, ...], ...)
|
|
- patterns:
|
|
- pattern-either:
|
|
- pattern: $X->createForm($TYPE, $TASK, [..., 'csrf_protection' => $VAL, ...], ...)
|
|
- pattern: $X->prependExtensionConfig('framework', [..., 'csrf_protection' => $VAL, ...], ...)
|
|
- pattern: $X->loadFromExtension('framework', [..., 'csrf_protection' => $VAL, ...], ...)
|
|
- pattern: $X->setDefaults([..., 'csrf_protection' => $VAL, ...], ...)
|
|
- pattern-inside: |
|
|
$VAL = false;
|
|
...
|
|
message: >-
|
|
CSRF is disabled for this configuration. This is a security risk.
|
|
Make sure that it is safe or consider setting `csrf_protection` property to `true`.
|
|
metadata:
|
|
references:
|
|
- https://symfony.com/doc/current/security/csrf.html
|
|
cwe: "CWE-352: Cross-Site Request Forgery (CSRF)"
|
|
owasp: "A6: Security Misconfiguration"
|
|
category: security
|
|
technology:
|
|
- symfony
|
|
languages: [php]
|
|
severity: WARNING
|