Default Routes: Filter Skipping (Rails 3.0-3.0.9)

ID

ruby.checkfilterskipping

Severity

low

Resource

Default Routes

Language

Ruby

Description

The general default routes warning means there is a call to

#Rails 2.x
map.connect ":controller/:action/:id"

or

Rails 3.x
match ':controller(/:action(/:id(.:format)))'

in config/routes.rb. This allows any public method on any controller to be called as an action.

If this warning is reported for a particular controller, it means there is a route to that controller containing :action.

Default routes can be dangerous if methods are made public which are not intended to be used as URLs or actions.

Rationale

Checks for versions 3.0-3.0.9 which had a vulnerability in filters

Remediation

Follow secure coding practices for Ruby on Rails applications. Review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References