static_controller.rb
code Severe
Dynamic Render Path
Discovered 3 months ago
Source: static code analysis
Category: Dynamic Render Path
Confidence level: Medium

Problem

Render path contains parameter value

Location

app/controllers/static_controller.rb:74

render(action => "static/#{(params[:id] or "faq").gsub(/[^a-z0-9\_\-]/, "")}", { :layout => (not request.xhr?), :formats => ([:html]) })

Category description: When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted.

Solution: fix the issue in app/controllers/static_controller.rb or mark it as false positive.