Insecure Configuration

Why is this important?

Ruby on Rails is a very opinionated framework that follows secure patterns by default. However, there are instances where it can be configured insecurely. For Ruby on Rails, this is mainly related to setting incorrect routes, that don't restrict access to public controller actions.

Fixing Insecure Configuration

Option A: Restrict Routes

1. Go through the issues that GuardRails identified in the PR.
2. Remove the code that has either this pattern:

  #Rails 2.x
  map.connect ":controller/:action/:id"

or this one:

  Rails 3.x
  match ':controller(/:action(/:id(.:format)))'

3. Follow the best practices as described here
4. Test it
5. Ship it 🚢 and relax 🌴

Option B: Enable Deep Munge

1. Go through the issues that GuardRails identified in the PR.
2. Identify the following configuration setting:

  config.action_dispatch.perform_deep_munge = false

3. Either delete this line, as by default it is enabled, or change it to:

  config.action_dispatch.perform_deep_munge = true

4. Test it
5. Ship it 🚢 and relax 🌴

More information

• Brakeman - Default Routes
• OWASP Top 10 - A6 Security Misconfiguration
• Rails Routing from the Outside In
• Deep Munge - Unsafe Query Generation