Possible HTTP verb confusion

Description

Rails uses the same actions for both GET and HEAD requests. When creating actions that handle both GET and state altering verbs (eg. POST), the use of request.get? can lead to unexpected state changes.

Remediations

✅ Use separate action logic for GET and POST

✅ Check for state altering verbs rather than GET:

if request.post?
alter_state
end

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_http_verb_confusion

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_http_verb_confusion

Ready to take the next step? Learn more about Bearer Cloud.