hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 09:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

add qhelp file

Browse Source
This commit is contained in:
thiggy1342
2022-07-14 00:11:25 +00:00
committed by GitHub
parent 2cc703387b
commit ae634367c9
1 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.qhelp Normal file
View File

@@ -0,0 +1,23 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Manually checking the HTTP request verb inside of a controller method can lead to
CSRF bypass if GET or HEAD requests are handled improperly.
</p>
</overview>
<recommendation>
<p>
It is better to use different controller methods for each resource/http verb combination
and configure the Rails routes in your application to call them accordingly.
</p>
</recommendation>
<references>
<p>
See https://guides.rubyonrails.org/routing.html for more information.
</p>
</references>
</qhelp>