GuardAPI Logo
GuardAPI

Fix Shadow API Exposure in Roda

Shadow APIs are the ghosts in your routing tree. In Roda, these manifest when developers use permissive path matching or leave legacy branches active without explicit termination. If an endpoint exists but isn't documented or access-controlled, it's a shadow API. We solve this by enforcing strict terminal matching and pruning the routing tree using Roda's built-in path constraints.

The Vulnerable Pattern

class App < Roda
  route do |r|
    r.on "api" do
      # VULNERABLE: Greedy matching allows /api/v1/users/anything/else
      # Also, using r.on String for versioning captures any string, potentially exposing hidden dev versions
      r.on String do |version|
        r.on "users" do
          { data: "Sensitive User List" }.to_json
        end
      end

  # VULNERABLE: Forgotten legacy endpoint with no authentication
  r.get "internal-stats" do
    { status: "ok", secret_metric: 42 }.to_json
  end
end


end
end

The Secure Implementation

To kill shadow APIs in Roda, transition from 'r.on' (which matches any prefix) to 'r.is' (which matches the exact terminal path). The vulnerable example uses 'r.on String', which is an attacker's dream for fuzzing undocumented API versions. The secure implementation uses a whitelist for versions and the 'not_found' plugin to ensure that any 'shadow' or 'ghost' paths do not inadvertently leak information or execute logic. By halting on invalid versions and using terminal blocks, we ensure the routing tree only executes intended code paths.

class App < Roda
  plugin :not_found
  plugin :all_verbs

SECURE: Define allowed versions as a constraint


SUPPORTED_VERSIONS = [‘v1’, ‘v2’].freeze


route do |r|
r.on “api” do
# SECURE: r.is ensures terminal matching (no trailing path pollution)
# Explicitly check version against whitelist
r.on String do |v|
r.halt(404) unless SUPPORTED_VERSIONS.include?(v)


    r.is "users" do
      r.get do
        { data: "Sanitized User List" }.to_json
      end
    end
  end
end

# SECURE: Explicit 404 for anything not strictly matched
r.not_found do
  { error: "Resource not found" }.to_json
end


end
end

System Alert • ID: 4288
Target: Roda API
Potential Vulnerability

Your Roda API might be exposed to Shadow API Exposure

74% of Roda apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X