You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ruby Rails support for route detection and authn/authz detection is currently limited. This is primarily due to two factors:
Convention over configuration. This means Rails' connection between a route and its controller is implicitly defined. And authn/authz properties are often defined interprocedurally in the controller, so connecting that information to a route requires connecting the controller. This makes it challenging for route-detect to connect a route with its authn/authz information.
The implicit nature of route definitions. For example, "A single call to resources can declare all of the necessary routes for your index, show, new, edit, create, update, and destroy actions." This is exacerbated by nested definitions, only: filtering, concern:, shallow:, etc.
For more information, see the paperroute-detect is based on.
In short, there's a lot of automagic functionality going on behind the scenes in Rails routing that makes statically analyzing it via Semgrep rules challenging. This issue exists to document this shortcoming and brainstorm possibilities for improvement.
The text was updated successfully, but these errors were encountered:
Ruby Rails support for route detection and authn/authz detection is currently limited. This is primarily due to two factors:
route-detect
to connect a route with its authn/authz information.only:
filtering,concern:
,shallow:
, etc.For more information, see the paper
route-detect
is based on.In short, there's a lot of automagic functionality going on behind the scenes in Rails routing that makes statically analyzing it via Semgrep rules challenging. This issue exists to document this shortcoming and brainstorm possibilities for improvement.
The text was updated successfully, but these errors were encountered: