It looks like # sobelow_skip ["Config.CSRF"] on a pipeline in a Phoenix router doesn't actually make sobelow skip this check for that pipeline.
Steps to reproduce this issue
- Create a new
phoenix app.
- Remove
plug :protect_from_forgery from the :browser pipeline.
- Add
# sobelow_skip ["Config.CSRF"] above pipeline :browser do.
- Run
mix sobelow --skip.
Current behavior
The check fails with a Config.CSRF error.
Expected behavior
The check should respect sobelow_skip and not fail for that specific pipeline.
Context
In some cases we need to have a pipeline without plug :protect_from_forgery. Even though Plug.CSRFProtection has a way of skipping CSRF protection for a specific route, they instead recommend that we use a different stack of plugs for that route that does not include Plug.CSRFProtection.
Workaround
We can use the .sobelow-skips file as a workaround. However, this seems to be unreliable on CI environments. Hence, I think it would be a good idea to ignore a pipeline with # sobelow_skip ["Config.CSRF"].
It looks like
# sobelow_skip ["Config.CSRF"]on apipelinein a Phoenix router doesn't actually makesobelowskip this check for that pipeline.Steps to reproduce this issue
phoenixapp.plug :protect_from_forgeryfrom the:browserpipeline.# sobelow_skip ["Config.CSRF"]abovepipeline :browser do.mix sobelow --skip.Current behavior
The check fails with a
Config.CSRFerror.Expected behavior
The check should respect
sobelow_skipand not fail for that specific pipeline.Context
In some cases we need to have a pipeline without
plug :protect_from_forgery. Even thoughPlug.CSRFProtectionhas a way of skipping CSRF protection for a specific route, they instead recommend that we use a different stack of plugs for that route that does not include Plug.CSRFProtection.Workaround
We can use the
.sobelow-skipsfile as a workaround. However, this seems to be unreliable on CI environments. Hence, I think it would be a good idea to ignore a pipeline with# sobelow_skip ["Config.CSRF"].