Possible HTTP verb confusion

• Rule ID: ruby_rails_http_verb_confusion
• Languages: ruby
• Source: http_verb_confusion.yml

Description

Rails uses the same actions for both GET and HEAD requests. When creating actions that handle both GET and state altering verbs (eg. POST), the use of request.get? can lead to unexpected state changes.

Remediations

✅ Use separate action logic for GET and POST

✅ Check for state altering verbs rather than GET:

if request.post?
  alter_state
end

Associated CWE

• CWE-650: Trusting HTTP Permission Methods on the Server Side

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_http_verb_confusion

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_http_verb_confusion