Skip to content

Add Ruby on Rails security rule pack#229

Open
seonghobae wants to merge 1 commit into
developfrom
rails-rules
Open

Add Ruby on Rails security rule pack#229
seonghobae wants to merge 1 commit into
developfrom
rails-rules

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

Summary

  • Adds scanner/rules/rails.yml — a 6-rule Ruby / Rails security pack for .rb/.erb sources, which no built-in rule currently covers. Rules use languages: [generic] with path globs (**/*.rb, **/*.erb) so the lightweight regex engine scopes them correctly.
  • Precision-first design: every injection rule requires actual Ruby string interpolation (#{...}) or an unambiguous dangerous API, so safe Rails idioms (bind parameters, permit lists, argument-list system calls, sanitize) do not match. Verified zero findings on safe fixture controllers.

Rules

Rule Severity CWE / OWASP
rails-sql-injection-interpolation CRITICAL CWE-89 / A03:2021
rails-command-injection CRITICAL CWE-78 / A03:2021
rails-secrets-in-code (hardcoded secret_key_base) CRITICAL CWE-798 / A07:2021
rails-raw-html-output (raw / .html_safe XSS) HIGH CWE-79 / A03:2021
rails-mass-assignment-permit-all (params.permit!) HIGH CWE-915 / A08:2021
rails-skip-csrf HIGH CWE-352 / A01:2021

Testing

  • tests/test_rails_rules.py (16 tests): positive/negative snippets per rule, severity assertions, path-scoping assertions, end-to-end _scan_file firing on a temp Rails app, silence on safe controllers and non-Ruby paths.
  • Full suite: 238 passed.
  • Repo self-scan stays at zero deploy blockers.
  • CHANGELOG [Unreleased] (Korean) and README "Detects" updated.

🤖 Generated with Claude Code

https://claude.ai/code/session_01EywwS2Du8pimW7xqRP3An3

Add scanner/rules/rails.yml with six precision-first rules for .rb/.erb
sources, which the built-in rules do not cover:

- rails-sql-injection-interpolation (CRITICAL, CWE-89): interpolated
  strings in where/find_by_sql/order/group/having
- rails-command-injection (CRITICAL, CWE-78): interpolated strings in
  system/exec/IO.popen/Open3.*, and backticks interpolating params/request
- rails-secrets-in-code (CRITICAL, CWE-798): hardcoded secret_key_base
- rails-raw-html-output (HIGH, CWE-79): raw(...)/.html_safe escaping bypass
- rails-mass-assignment-permit-all (HIGH, CWE-915): params.permit!
- rails-skip-csrf (HIGH, CWE-352): skip_before_action
  :verify_authenticity_token

Every injection rule requires real Ruby interpolation ("#{...}") or an
unambiguous dangerous API, so parameterized queries, permit lists, and
argument-list system calls do not match. Verified end to end: all six
rules fire on a temp Rails fixture app and stay silent on safe
controllers and non-Ruby paths.

tests/test_rails_rules.py covers positive/negative snippets, severities,
path scoping, and end-to-end _scan_file behavior. Full suite passes
(238) and the repo self-scan stays at zero deploy blockers.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01EywwS2Du8pimW7xqRP3An3
@seonghobae seonghobae enabled auto-merge (squash) July 6, 2026 07:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant