Read more about the different warnings Railroader reports:
- Attribute Restriction
- Authentication
- Basic Authentication
- Command Injection
- Cross-Site Request Forgery
- Cross Site Scripting
- Cross Site Scripting (Content Tag)
- Cross Site Scripting (JSON)
- Dangerous Evaluation
- Dangerous Send
- Default Routes
- Denial of Service
- Dynamic Render Paths
- File Access
- Format Validation
- Information Disclosure
- Mail Link
- Mass Assignment
- Remote Code Execution
- Remote Execution in YAML.load
- Session Manipulation
- Session Settings
- SQL Injection
- SSL Verification Bypass
- Unsafe Deserialization
- Unscoped Find
- Unsafe Redirects
Docs
Unscoped Find
Unscoped find (and related methods) are a form of Direct Object Reference. Models which belong to another model should typically be accessed via a scoped query.
For example, if an Account belongs to a User, then this may be an unsafe unscoped find:
Account.find(params[:id]) Depending on the action, this could allow an attacker to access any account they wish.
Instead, it should be scoped to the currently logged-in user: