Incorrect Default Permissions
Description
Default routes are enabled in this routes file, allowing any public method on a controller to be called as an action. This can accidentally expose methods. Instead, remove the offending line and explicitly include all routes that are intended for external users to follow.
Examples
Insecure Code
ruby
map.connect ":controller/:action/:id"Secure Code
ruby
get 'posts' => 'posts#index', as: :postsRemediation
Remove the default route and explicitly define routes for external users.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0549 |
| Category | AccessControl |
| Severity | MEDIUM |
| CWE | CWE-276 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | rails, ruby |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |