here's what i did to find the routes that are too permissive:

routes = Rails.application.routes.routes; nil
route_defaults = routes.map(&:defaults); nil
route_actions = route_defaults.inject(Hash.new) do |h, d|
  h[d[:controller]] ||= []
  h[d[:controller]] << d[:action]
  h
end ; nil
routes_too_permissive = route_actions.map do |controller, actions|
       next unless controller.present?
     controller_class = "#{controller}_controller".classify
    next unless defined?(controller_class)
     controller_actions =
controller_class.constantize.action_methods.to_a
     next if (actions - controller_actions).blank?
     {controller: controller, route_actions: actions.sort.uniq,
controller_actions: controller_actions.map(&:to_sym)}
  end; nil
pp routes_too_permissive.compact