Skip to main content

Lack of data validation - Out of range


Improved data validation to prevent unauthorized access


  • Usage of Ruby 2.7 for developing Ruby applications
  • Usage of Rails framework for building web applications
  • Usage of Devise for User Authentication and Authorization


Non compliant code

class EmployeesController < ApplicationController
before_action :authenticate_user!

def manage
@employee = Employee.find(params[:id])

In the above code snippet, we have a manage action inside the EmployeesController that is used to manage employees. This action is only supposed to be accessible by certain users, but due to the lack of proper data validation, any authenticated user can bypass the restrictions by directly using the absolute path to this functionality.

The before_action :authenticate_user! method ensures that the user is authenticated but it does not check the authorization of the user, meaning it does not validate if the user has the necessary permissions to access this functionality.

This vulnerability can be exploited in the following way: An authenticated user who does not have the necessary permissions to manage employees can directly use the absolute path /employees/:id/manage to access the manage functionality. Here, :id is the ID of the employee that the user wants to manage.

This lack of data validation can lead to unauthorized access and manipulation of data, which is a serious security risk.


  • Implement input validation to ensure that the 'id' parameter is within the expected range.
  • Check the user's permissions before allowing access to the 'manage' action.
  • Use authorization mechanisms, such as role-based access control, to enforce restrictions on functionality based on user roles.
  • Consider implementing a separate controller or action specifically for managing employees, instead of using a generic 'manage' action.
  • Regularly review and update the access control mechanisms to ensure they are effective and up-to-date with the application's requirements.

Compliant code

class EmployeesController < ApplicationController
before_action :authenticate_user!
before_action :set_employee, only: [:manage]
before_action :check_permissions, only: [:manage]

def manage


def set_employee
@employee = Employee.find(params[:id])

def check_permissions
unless current_user.can_manage?(@employee)
redirect_to root_path, alert: 'You do not have permission to manage this employee.'

The updated code includes a few changes to address the vulnerability:

  1. A before_action filter is added to set the @employee instance variable. This is done in a separate method (set_employee) to keep the manage action focused on its main responsibility.

  2. Another before_action filter is added to check the user's permissions before allowing access to the manage action. This is done in the check_permissions method. If the current user does not have permission to manage the specified employee, they are redirected to the application's root path with an alert message.

  3. The can_manage? method is assumed to be defined on the User model and should return true if the user has permission to manage the specified employee and false otherwise. This method should implement the necessary logic to check the user's permissions, which could involve checking the user's role, group, or other attributes.

  4. The manage action itself is now empty, as its only responsibility is to render the view (assuming the user has the necessary permissions). All data fetching and permission checking is done in the before_action filters.

These changes ensure that only users with the necessary permissions can access the manage action and that the id parameter is properly validated. This helps to prevent unauthorized access and potential data leaks.