Ruby Snippet #07
This challenge covers the review of a snippet of code written in Ruby
The Code Review Snippet challenge is designed to help you identify vulnerabilities in a small piece of Ruby on Rails code. Initially, you are encouraged to find the issue on your own before referring to the provided video for confirmation and further learning. The code in question involves a route and a controller method that handles authorization. The key issue is that the method improperly processes HEAD requests, potentially allowing Cross-Site Request Forgery (CSRF) attacks.
In the route configuration (config/routes.rb
), the /authorize
endpoint is set to handle both GET and POST requests. However, in the controller method (app/controllers/welcome_controller.rb
), the code only distinguishes between GET requests and all others, treating HEAD requests like POST requests. Since Ruby on Rails does not apply CSRF protection to HEAD requests by default, this misconfiguration can be exploited to bypass CSRF protections and authorize actions maliciously. This specific vulnerability was notably discovered in GitHub, where it could have been used to take control of another user's account.