Create admin_controller.rb

[wickett]

No description provided.

[dryrunsecurity]

This pull request contains a critical security vulnerability where an attacker can bypass administrative access controls by manipulating user-controlled parameters in the AdminController, potentially granting unauthorized access to administrative functions by simply setting admin=true or role=admin in their request.

Authorization Bypass via User-Controlled Parameters in app/controllers/admin_controller.rb

Vulnerability

Authorization Bypass via User-Controlled Parameters

Description

The AdminController uses a before_action filter ensure_admin to check for administrative privileges. However, the ensure_admin method determines authorization solely based on user-controlled request parameters (params[:admin] or params[:role]). An attacker can set admin=true or role=admin in their request to bypass this check and gain unauthorized access to administrative functions, such as the /dashboard endpoint.

rails-projects/app/controllers/admin_controller.rb

Lines 1 to 19 in 9a8a39c

	# frozen_string_literal: true
	class AdminController < ApplicationController
	# Authorizes based on a user-controlled request parameter.
	before_action :ensure_admin
	def dashboard
	render plain: "Top secret: Admin-only diagnostics"
	end
	private
	def ensure_admin
	allowed = params[:admin] == 'true' || params[:role] == 'admin'
	return if allowed
	render plain: "Forbidden", status: :forbidden
	end
	end

---

All finding details can be found in the DryRun Security Dashboard.