Unscoped Find Method Call with User-Controlled Input
Description
The application is calling the `find(...)` method with user-controlled input, which may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records, potentially resulting in data breaches, exposure of personal information, account takeovers, and other security issues.
Examples
Insecure Code
ruby
User.find(params[:id])Secure Code
ruby
current_user.accounts.find(params[:id])Remediation
Scope queries to the current user or another appropriate scope that ensures users can only access data they are authorized to see, using ActiveRecord associations and scopes to limit the records that can be retrieved.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0535 |
| Category | AccessControl |
| Severity | MEDIUM |
| CWE | CWE-639 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | Insecure Direct Object Reference, IDOR, ActiveRecord |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |
References
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/rails/security/brakeman/check-unscoped-find.yaml
- https://brakemanscanner.org/docs/warning_types/unscoped_find/