TL;DR
This post is about risk sensitive data exposure in your Ruby on Rails application. It will cover unauthorized access and cross site request forgery check (CSRF).
Unauthorized access risk is simple. User can access data that it is not supposed to access. Here you need to check source code of every controller. Your job is easier if developer named controllers by their purpose. For example:
z.rb
and
doctor.rb
make a big difference.
Rails application is using controller filters, for example:
before_action
If controller is public, then there would not be any before_action filter authorization method. If authorization is required, then there would be before_action filter, for example, auth_user or auth_admin, depending on controller context.
And this is perfect candidate for automatization code. Developer should write simple tests with call for every controller, and result checks of HTTP status code that should be 403 for authorized controllers, and 200 for public one.
If there is role access, check authorization controllers with appropriate role credentials.
Cross site request forgery is when hacker tricks user to execute in his browser http request that modifies data (PUT, POST, DELETE). Ruby has out of the box CSRF protection, that adds additional hidden token parameter in all such requests. Of course, that protection could be turned off.
You should search your code base for:
grep -H -r 'protect_from_forgery except:' * | less
and you should discuss with developer do you really need that exception.
