Add Ruby on Rails security rule pack#229
Open
seonghobae wants to merge 1 commit into
Open
Conversation
Add scanner/rules/rails.yml with six precision-first rules for .rb/.erb
sources, which the built-in rules do not cover:
- rails-sql-injection-interpolation (CRITICAL, CWE-89): interpolated
strings in where/find_by_sql/order/group/having
- rails-command-injection (CRITICAL, CWE-78): interpolated strings in
system/exec/IO.popen/Open3.*, and backticks interpolating params/request
- rails-secrets-in-code (CRITICAL, CWE-798): hardcoded secret_key_base
- rails-raw-html-output (HIGH, CWE-79): raw(...)/.html_safe escaping bypass
- rails-mass-assignment-permit-all (HIGH, CWE-915): params.permit!
- rails-skip-csrf (HIGH, CWE-352): skip_before_action
:verify_authenticity_token
Every injection rule requires real Ruby interpolation ("#{...}") or an
unambiguous dangerous API, so parameterized queries, permit lists, and
argument-list system calls do not match. Verified end to end: all six
rules fire on a temp Rails fixture app and stay silent on safe
controllers and non-Ruby paths.
tests/test_rails_rules.py covers positive/negative snippets, severities,
path scoping, and end-to-end _scan_file behavior. Full suite passes
(238) and the repo self-scan stays at zero deploy blockers.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01EywwS2Du8pimW7xqRP3An3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
scanner/rules/rails.yml— a 6-rule Ruby / Rails security pack for.rb/.erbsources, which no built-in rule currently covers. Rules uselanguages: [generic]with path globs (**/*.rb,**/*.erb) so the lightweight regex engine scopes them correctly.#{...}) or an unambiguous dangerous API, so safe Rails idioms (bind parameters,permitlists, argument-listsystemcalls,sanitize) do not match. Verified zero findings on safe fixture controllers.Rules
rails-sql-injection-interpolationrails-command-injectionrails-secrets-in-code(hardcodedsecret_key_base)rails-raw-html-output(raw/.html_safeXSS)rails-mass-assignment-permit-all(params.permit!)rails-skip-csrfTesting
tests/test_rails_rules.py(16 tests): positive/negative snippets per rule, severity assertions, path-scoping assertions, end-to-end_scan_filefiring on a temp Rails app, silence on safe controllers and non-Ruby paths.[Unreleased](Korean) and README "Detects" updated.🤖 Generated with Claude Code
https://claude.ai/code/session_01EywwS2Du8pimW7xqRP3An3