Potential for HTTP verb confusion detected.

Rule ID: ruby_rails_http_verb_confusion
Languages: ruby
Source: http_verb_confusion.yml

Description

Rails uses the same actions for both GET and HEAD requests. When creating actions that handle both GET and state altering verbs (eg. POST), the use of request.get? can lead to unexpected state changes.

Remediations

✅ Use separate action logic for GET and POST

✅ Check for state altering verbs rather than GET:

if request.post?
  alter_state
end

Associated CWE

CWE-650: Trusting HTTP Permission Methods on the Server Side

OWASP Top 10

A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_http_verb_confusion

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_http_verb_confusion

Ready to take the next step? Learn more about Bearer Cloud.