ruby.lang.security.filter-skipping.filter-skipping

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
97,918
Download Count*

Checks for use of action in Ruby routes. This can cause Rails to render an arbitrary view if an attacker creates an URL accurately. Affects 3.0 applications. Can avoid the vulnerability by providing additional constraints.

Run Locally

Run in CI

Defintion

rules:
  - id: filter-skipping
    patterns:
      - pattern-not: |
          $CALL "=~/.*(/:action.*).*/", $ACTION
      - pattern: |
          $CALL "=~/.*(/:action.*).*/"
    message: Checks for use of action in Ruby routes. This can cause Rails to render
      an arbitrary view if an attacker creates an URL accurately. Affects 3.0
      applications. Can avoid the vulnerability by providing additional
      constraints.
    metadata:
      cwe:
        - "CWE-1021: Improper Restriction of Rendered UI Layers or Frames"
      references:
        - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_filter_skipping.rb
        - https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY
      category: security
      technology:
        - ruby
      owasp:
        - A04:2021 - Insecure Design
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - ruby
    severity: ERROR

Examples

filter-skipping.rb

class MyController < ApplicationController
    def bad_route
        # ruleid: filter-skipping
        match '/:controller(/:action(/:id))'
    end

    def ok_route
        match '/:controller(/:action(/:id))', :action => /[a-z_]+/
    end
end