Skip to content

Create admin_controller.rb #99

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wickett wants to merge 1 commit into
base: main
Choose a base branch
from

Create admin_controller.rb

f0e89c6
Select commit
Loading
Failed to load commit list.
Open

Create admin_controller.rb #99

Create admin_controller.rb
f0e89c6
Select commit
Loading
Failed to load commit list.
DryRunSecurity / General Security Analyzer succeeded Aug 13, 2025 in 1s

DryRun Security

Details

General Security Analyzer Findings: 1 detected

⚠️ Authorization Bypass via User-Controlled Parameters app/controllers/admin_controller.rb (click for details)
Type Authorization Bypass via User-Controlled Parameters
Description The AdminController uses a before_action filter ensure_admin to check for administrative privileges. However, the ensure_admin method determines authorization solely based on user-controlled request parameters (params[:admin] or params[:role]). An attacker can set admin=true or role=admin in their request to bypass this check and gain unauthorized access to administrative functions, such as the /dashboard endpoint.
Filename app/controllers/admin_controller.rb
CodeLink

rails-projects/app/controllers/admin_controller.rb

Lines 1 to 19 in c0b0252

# frozen_string_literal: true
class AdminController < ApplicationController
# Authorizes based on a user-controlled request parameter.
before_action :ensure_admin
def dashboard
render plain: "Top secret: Admin-only diagnostics"
end
private
def ensure_admin
allowed = params[:admin] == 'true' || params[:role] == 'admin'
return if allowed
render plain: "Forbidden", status: :forbidden
end
end
View more details on DryRunSecurity