Insecure use of skip_filter or skip_before_filter
Description
The application is disabling controller checks by setting `skip_filter` or `skip_before_filter` with an `:except` option, which can inadvertently open up parts of the application to unauthorized access. A safer method involves specifying exactly which controller actions should have checks applied using an `:only` option.
Examples
Insecure Code
ruby
skip_before_filter :authenticate_user!, :except => [:new, :create]Secure Code
ruby
skip_before_action :authenticate_user!, only: [:new, :create]Remediation
Replace `:except` with `:only` and specify the actions that should have checks applied.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0534 |
| Category | AccessControl |
| Severity | MEDIUM |
| CWE | CWE-749 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | rails, authorization |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |
References
- https://owasp.org/Top10/A01_2021-Broken_Access_Control/
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/rails/security/brakeman/check-before-filter.yaml