static_controller.rb
code Critical
Dynamic Render Path
Discovered over 4 years ago
Source: static code analysis
Category: Dynamic Render Path
Confidence level: High

Problem

Render path contains parameter value

Location

app/controllers/static_controller.rb:58

render(action => (("static/#{(params[:id] or "faq")}.#{I18n.locale}" or "static/#{(params[:id] or "faq")}.en") or "static/#{(params[:id] or "faq")}"), { :layout => (not request.xhr?), :formats => ([:html]) })

Category description: When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted.

Solution: fix the issue in app/controllers/static_controller.rb or mark it as false positive.