Permissive callback disable configuration

• Rule ID: ruby_rails_insecure_disabling_of_callback
• Languages: ruby
• Source: insecure_disabling_of_callback.yml

Description

Using the except option to disable a callback can inadvertently bypass critical access control logic. This oversight can compromise the security of your application by not enforcing necessary checks on certain actions.

Remediations

• Do explicitly list all actions where a callback should be skipped using the only option. This approach minimizes the risk of accidentally bypassing important security controls.

  skip_before_action :access_control, only: %i[public_action1 public_action2]

Associated CWE

• CWE-284: Improper Access Control

OWASP Top 10

• A01:2021 - Broken Access Control

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_insecure_disabling_of_callback

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_insecure_disabling_of_callback