Improper HTTP Verb Confusion Check

Description

The code uses `request.get?` without considering `request.head?`, potentially causing unexpected behavior. In Rails, HEAD requests are routed as GET requests but will fail the `request.get?` check.

Examples

Insecure Code

ruby

if request.get?
  # Handle GET request logic here
else
  # Handle others if needed
end

Secure Code

ruby

if request.get?
  # Handle GET request logic here
elsif request.head?
  # Handle HEAD request logic here
else
  # Handle others if needed
end

Remediation

Add an `elsif` condition to handle `request.head?`

Rule Details

Field	Value
ID	CODE-0538
Category	Web
Severity	MEDIUM
CWE	CWE-754
Confidence	HIGH
Impact	MEDIUM
Likelihood	MEDIUM
Exploitability	MODERATE
Tags	rails, http, verb confusion
OWASP	A6:2017-Security Misconfiguration, A04:2021-Insecure Design

References

https://github.com/semgrep/semgrep-rules/blob/develop/ruby/rails/security/brakeman/check-http-verb-confusion.yaml

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Improper HTTP Verb Confusion Check

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Improper HTTP Verb Confusion Check ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

References ​

Improper HTTP Verb Confusion Check

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References