Insecure disabling of callback detected.

• Rule ID: ruby_rails_insecure_disabling_of_callback
• Languages: ruby
• Source: insecure_disabling_of_callback.yml

Description

When using except/unless for disabling a callback, there is a high chance of skipping important access control logic by accident.

Remediations

✅ Prefer enumerating all of the actions using only:

skip_before_action :access_control, only: %i[public_action1 public_action2]

Associated CWE

• CWE-284: Improper Access Control

OWASP Top 10

• A01:2021 - Broken Access Control