IDOR in the compliance center via GET /groups/{groupName}/-/security/compliance_dashboard/frameworks/{id}.json

Issue created from vulnerability 175258230

Description:

The application was found calling the find(...) method with user-controlled input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. This could lead to data breaches, including the exposure of personal information, account takeovers, and other security issues.

To mitigate this risk, it's essential to scope queries to the current user or another appropriate scope that ensures users can only access data they are authorized to see. This is done by using ActiveRecord associations and scopes to limit the records that can be retrieved.

Secure Code Example:

# Secure way to scope the find to the current user's accounts
def show
  @account = current_user.accounts.find(params[:id])
end

• Severity: medium
• Location: ee/app/controllers/groups/security/compliance_dashboard/frameworks_controller.rb:44

Identifiers:

• CWE-639
• ruby-rails-accesscontrol-unscoped-find-taint
• A5:2017 - Broken Access Control
• A01:2021 - Broken Access Control
• //cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html
• SAST Rules ID - ruby_find_rule-CheckUnscopedFind
• Brakeman Warning Code brakeman.ruby_find_rule-CheckUnscopedFind

Scanner:

• Name: GitLab Advanced SAST