Possible HTTP verb confusion

• Rule ID: ruby_rails_http_verb_confusion
• Languages: ruby
• Source: http_verb_confusion.yml

Description

In Rails applications, the same actions are often used to respond to both GET and HEAD requests. This can become problematic when actions are designed to handle both GET requests, which should not alter the application state, and requests like POST, which may alter state. Relying on request.get? to differentiate request types can inadvertently lead to unexpected changes in the application state.

Remediations

• Do use separate action logic for handling GET and POST requests to prevent unintended state changes.
• Do explicitly check for state-altering HTTP verbs (such as POST) instead of relying on GET to ensure that state changes only occur when intended.

  if request.post?
    alter_state
  end

Associated CWE

• CWE-650: Trusting HTTP Permission Methods on the Server Side

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_http_verb_confusion

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_http_verb_confusion