Potential for HTTP verb confusion detected.
- Rule ID: ruby_rails_http_verb_confusion
- Languages: ruby
- Source: http_verb_confusion.yml
Description
Rails uses the same actions for both GET and HEAD requests. When creating
actions that handle both GET and state altering verbs (eg. POST), the use
of request.get?
can lead to unexpected state changes.
Remediations
✅ Use separate action logic for GET and POST
✅ Check for state altering verbs rather than GET:
if request.post?
alter_state
end
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=ruby_rails_http_verb_confusion
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=ruby_rails_http_verb_confusion
Ready to take the next step? Learn more about Bearer Cloud.