IDOR in the compliance center via GET /groups/{groupName}/-/security/compliance_dashboard/frameworks/{id}.json
Issue created from vulnerability <a href="https://gitlab.com/gitlab-org/gitlab/-/security/vulnerabilities/175258230">175258230</a> ### Description: The application was found calling the `find(...)` method with user-controlled input. If the ActiveRecord model being searched against is sensitive, this may lead to Insecure Direct Object Reference (IDOR) behavior and allow users to read arbitrary records. This could lead to data breaches, including the exposure of personal information, account takeovers, and other security issues. To mitigate this risk, it&#39;s essential to scope queries to the current user or another appropriate scope that ensures users can only access data they are authorized to see. This is done by using ActiveRecord associations and scopes to limit the records that can be retrieved. Secure Code Example: ``` # Secure way to scope the find to the current user&#39;s accounts def show @account = current_user.accounts.find(params[:id]) end ``` * Severity: medium * Location: [ee/app/controllers/groups/security/compliance_dashboard/frameworks_controller.rb:44](https://gitlab.com/gitlab-org/gitlab/-/blob/70d90bbbf9fd831641f3255c9d3cdd6a3af151b6/ee/app/controllers/groups/security/compliance_dashboard/frameworks_controller.rb#L44) ### Identifiers: * [CWE-639](https://cwe.mitre.org/data/definitions/639.html) * ruby-rails-accesscontrol-unscoped-find-taint * A5:2017 - Broken Access Control * A01:2021 - Broken Access Control * //cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html * SAST Rules ID - ruby_find_rule-CheckUnscopedFind * Brakeman Warning Code brakeman.ruby_find_rule-CheckUnscopedFind ### Scanner: * Name: GitLab Advanced SAST
issue