Ruby Rails support for route detection and authn/authz detection is currently limited. This is primarily due to two factors:
Convention over configuration. This means Rails' connection between a route and its controller is implicitly defined. And authn/authz properties are often defined interprocedurally in the controller, so connecting that information to a route requires connecting the controller. This makes it challenging for route-detect to connect a route with its authn/authz information.
The implicit nature of route definitions. For example, "A single call to resources can declare all of the necessary routes for your index, show, new, edit, create, update, and destroy actions." This is exacerbated by nested definitions, only: filtering, concern:, shallow:, etc.
For more information, see the paperroute-detect is based on.
In short, there's a lot of automagic functionality going on behind the scenes in Rails routing that makes statically analyzing it via Semgrep rules challenging. This issue exists to document this shortcoming and brainstorm possibilities for improvement.
Ruby Rails support for route detection and authn/authz detection is currently limited. This is primarily due to two factors:
route-detectto connect a route with its authn/authz information.only:filtering,concern:,shallow:, etc.For more information, see the paper
route-detectis based on.In short, there's a lot of automagic functionality going on behind the scenes in Rails routing that makes statically analyzing it via Semgrep rules challenging. This issue exists to document this shortcoming and brainstorm possibilities for improvement.