ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: avoid-default-routes
    metadata:
      owasp:
        - A01:2021 - Broken Access Control
      cwe:
        - "CWE-276: Incorrect Default Permissions"
      references:
        - https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown
      category: security
      technology:
        - rails
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    message: Default routes are enabled in this routes file. This means any public
      method on a controller can be called as an action. It is very easy to
      accidentally expose a method you didn't mean to. Instead, remove this line
      and explicitly include all routes you intend external users to follow.
    languages:
      - ruby
    severity: WARNING
    patterns:
      - pattern-either:
          - pattern: map.connect ":controller/:action/:id"
          - pattern: match ':controller(/:action(/:id(.:format)))'
    paths:
      include:
        - "*routes.rb"