static_controller.rb
code Critical
Dynamic Render Path
Discovered 3 months ago
Source: static code analysis
Category: Dynamic Render Path
Confidence level: High

Problem

Render path contains parameter value

Location

app/controllers/static_controller.rb:78

render(action => (("static/#{(params[:id] or "faq").gsub(/[^a-z0-9\_\-]/, "")}.#{I18n.locale}" or "static/#{(params[:id] or "faq").gsub(/[^a-z0-9\_\-]/, "")}.en") or "static/#{(params[:id] or "faq").gsub(/[^a-z0-9\_\-]/, "")}"), { :layout => (not request.xhr?), :formats => ([:html]) })

Category description: When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted.

Solution: fix the issue in app/controllers/static_controller.rb or mark it as false positive.