You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The check should respect sobelow_skip and not fail for that specific pipeline.
Context
In some cases we need to have a pipeline without plug :protect_from_forgery. Even though Plug.CSRFProtection has a way of skipping CSRF protection for a specific route, they instead recommend that we use a different stack of plugs for that route that does not include Plug.CSRFProtection.
Workaround
We can use the .sobelow-skips file as a workaround. However, this seems to be unreliable on CI environments. Hence, I think it would be a good idea to ignore a pipeline with # sobelow_skip ["Config.CSRF"].
The text was updated successfully, but these errors were encountered:
It looks like
# sobelow_skip ["Config.CSRF"]on apipelinein a Phoenix router doesn't actually makesobelowskip this check for that pipeline.Steps to reproduce this issue
phoenixapp.plug :protect_from_forgeryfrom the:browserpipeline.# sobelow_skip ["Config.CSRF"]abovepipeline :browser do.mix sobelow --skip.Current behavior
The check fails with a
Config.CSRFerror.Expected behavior
The check should respect
sobelow_skipand not fail for that specific pipeline.Context
In some cases we need to have a pipeline without
plug :protect_from_forgery. Even thoughPlug.CSRFProtectionhas a way of skipping CSRF protection for a specific route, they instead recommend that we use a different stack of plugs for that route that does not include Plug.CSRFProtection.Workaround
We can use the
.sobelow-skipsfile as a workaround. However, this seems to be unreliable on CI environments. Hence, I think it would be a good idea to ignore a pipeline with# sobelow_skip ["Config.CSRF"].The text was updated successfully, but these errors were encountered: