Insecure Configuration

Why is this important?

Ruby on Rails is a very opinionated framework that follows secure patterns by default. However, there are instances where it can be configured insecurely. For Ruby on Rails, this is mainly related to setting incorrect routes, that don't restrict access to public controller actions.

Fixing Insecure Configuration

Option A: Restrict Routes

  1. Go through the issues that GuardRails identified in the PR.
  2. Remove the code that has either this pattern:

     #Rails 2.x
     map.connect ":controller/:action/:id"

    or this one:

     Rails 3.x
     match ':controller(/:action(/:id(.:format)))'
  3. Follow the best practices as described here

  4. Test it
  5. Ship it 🚢 and relax 🌴

More information: