npm - @critiq/rules - Versions diffs - 0.1.0 → 0.2.0 - Mend

@critiq/rules 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/rules/python/py.security.dynamic-code-execution.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.dynamic-code-execution
+  title: Avoid dynamic code execution with eval or exec
+  summary: Python services should not execute runtime-generated code via `eval` or `exec`.
+  rationale: Dynamic code execution turns untrusted data into executable behavior and expands code-injection risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
+  tags:
+    - security
+    - python
+    - execution
+    - injection
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.dynamic-code-execution
+    bind: issue
+emit:
+  finding:
+    category: security.execution
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - python
+      - execution
+      - injection
+  message:
+    title: Avoid dynamic execution in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` executes code dynamically with `eval` or `exec`."
+  remediation:
+    summary: Replace dynamic execution with explicit parsing, allowlisted operations, or fixed function dispatch tables.

package/rules/python/py.security.fastapi-insecure-cors.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Avoid permissive FastAPI CORS with credentials
   summary: FastAPI `CORSMiddleware` should not combine wildcard origins, methods, or headers with `allow_credentials=True`.
   rationale: Wildcard CORS policies plus credentials mirror insecure browser CORS combinations that attackers can abuse from malicious origins.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
+    - kind: url
+      title: FastAPI security
+      url: https://fastapi.tiangolo.com/tutorial/security/
   tags:
     - security
     - python
@@ -41,3 +53,4 @@ emit:
     summary: "`${captures.issue.text}` configures `CORSMiddleware` with wildcards while credentials are enabled."
   remediation:
     summary: Replace wildcard origins, methods, and headers with explicit allowlists when credentials are required.

package/rules/python/py.security.flask-debug-enabled.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.flask-debug-enabled
+  title: Disable Flask debug mode in runtime configuration
+  summary: Flask applications should not enable debug mode through `app.run`, config assignment, or `FLASK_DEBUG`.
+  rationale: Debug mode can expose interactive tracebacks and internal application state to external users.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+    - kind: url
+      title: Flask security considerations
+      url: https://flask.palletsprojects.com/en/stable/security/
+  tags:
+    - security
+    - python
+    - flask
+    - configuration
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+match:
+  fact:
+    kind: python.security.flask-debug-enabled
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - flask
+      - configuration
+  message:
+    title: Disable Flask debug setting `${captures.issue.text}`
+    summary: "`${captures.issue.text}` enables Flask debug behavior that should remain off outside local development."
+  remediation:
+    summary: Remove debug flags from runtime code and environment assignments, then gate development-only behavior behind safe configuration.

package/rules/python/py.security.flask-missing-upload-body-limit.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Set Flask MAX_CONTENT_LENGTH for uploads
   summary: Flask apps handling uploads should configure `MAX_CONTENT_LENGTH` to bound request bodies.
   rationale: Missing upload limits enables trivial denial-of-service via oversized multipart payloads.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+    - kind: url
+      title: Flask security considerations
+      url: https://flask.palletsprojects.com/en/stable/security/
   tags:
     - security
     - python
@@ -42,3 +54,4 @@ emit:
     summary: "Upload handling references `${captures.issue.text}` but no `MAX_CONTENT_LENGTH` configuration was detected in this file."
   remediation:
     summary: Set `app.config["MAX_CONTENT_LENGTH"]` (or equivalent) to a bounded maximum aligned with product limits.

package/rules/python/py.security.flask-unsafe-html-output.rule.yaml CHANGED Viewed

@@ -6,6 +6,18 @@ metadata:
   summary: Flask responses should not bypass escaping when interpolating `request` input into HTML helpers or template strings.
   rationale: >-
     Markup helpers, render_template_string, and Jinja safe filters bypass escaping and commonly become XSS sinks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Flask security considerations
+      url: https://flask.palletsprojects.com/en/stable/security/
   tags:
     - security
     - python
@@ -42,3 +54,4 @@ emit:
     summary: "`${captures.issue.text}` mixes request-controlled values with markup helpers or unescaped template paths."
   remediation:
     summary: Use automatic escaping, `render_template` with trusted contexts, or a vetted sanitizer instead of raw markup shortcuts.

package/rules/python/py.security.flask-unsafe-upload-filename.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Sanitize Flask upload filenames before saving
   summary: Flask upload handlers should pass filenames through `secure_filename` (or equivalent) before persisting to disk.
   rationale: Attacker-controlled filenames enable traversal sequences, extension spoofing, and collisions when saved verbatim.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+    - kind: url
+      title: Flask security considerations
+      url: https://flask.palletsprojects.com/en/stable/security/
   tags:
     - security
     - python
@@ -42,3 +54,4 @@ emit:
     summary: "`${captures.issue.text}` persists uploads using an unsanitized client-provided filename."
   remediation:
     summary: Generate trusted server-side names or wrap uploads with `werkzeug.utils.secure_filename` before calling `save`.

package/rules/python/py.security.insecure-temp-file.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.insecure-temp-file
+  title: Avoid insecure temporary file name helpers
+  summary: Python temporary files should not use `mktemp` or `tempnam` helpers that create race-prone filenames.
+  rationale: Predictable temporary filenames can enable symlink races and unauthorized file access before creation.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+  tags:
+    - security
+    - python
+    - filesystem
+    - tempfile
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.insecure-temp-file
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: medium
+    confidence: 0.92
+    tags:
+      - security
+      - python
+      - filesystem
+      - tempfile
+  message:
+    title: Replace insecure temp helper `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses an insecure temporary filename API."
+  remediation:
+    summary: Use `tempfile.NamedTemporaryFile` or `tempfile.mkstemp` to create secure files atomically.

package/rules/python/py.security.insecure-yaml-load.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.insecure-yaml-load
+  title: Use SafeLoader with yaml.load
+  summary: Python YAML parsing should use `SafeLoader` when calling `yaml.load`.
+  rationale: Unsafe YAML deserialization can instantiate arbitrary Python objects and lead to unexpected code paths.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-502
+      title: Deserialization of Untrusted Data
+    - kind: owasp
+      title: Deserialization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
+  tags:
+    - security
+    - python
+    - yaml
+    - deserialization
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.insecure-yaml-load
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - python
+      - yaml
+      - deserialization
+  message:
+    title: Use a safe YAML loader in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` calls `yaml.load` without a safe loader."
+  remediation:
+    summary: Prefer `yaml.safe_load` or pass `Loader=yaml.SafeLoader` explicitly for trusted-safe parsing behavior.

package/rules/python/py.security.jinja-autoescape-disabled.rule.yaml ADDED Viewed

@@ -0,0 +1,58 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.jinja-autoescape-disabled
+  title: Avoid disabling Jinja autoescape
+  summary: Jinja2 environments should keep autoescaping enabled for HTML rendering contexts.
+  rationale: Disabling autoescape can allow untrusted template data to render as executable markup in browser clients.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Flask security considerations
+      url: https://flask.palletsprojects.com/en/stable/security/
+  tags:
+    - security
+    - python
+    - jinja
+    - xss
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.jinja-autoescape-disabled
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - python
+      - jinja
+      - xss
+  message:
+    title: Enable Jinja autoescape in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` configures a Jinja environment with `autoescape=False`."
+  remediation:
+    summary: Keep `autoescape` enabled for HTML templates and isolate trusted non-HTML rendering pipelines explicitly.

package/rules/python/py.security.subprocess-shell-enabled.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.subprocess-shell-enabled
+  title: Avoid enabling shell mode in subprocess calls
+  summary: Python process execution should avoid `shell=True` unless shell interpretation is explicitly required and tightly controlled.
+  rationale: Shell-enabled process execution introduces command parsing behavior that increases injection and execution risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: OS Command Injection
+    - kind: owasp
+      title: OS Command Injection Defense Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
+  tags:
+    - security
+    - python
+    - subprocess
+    - execution
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.subprocess-shell-enabled
+    bind: issue
+emit:
+  finding:
+    category: security.execution
+    severity: high
+    confidence: 0.93
+    tags:
+      - security
+      - python
+      - subprocess
+      - execution
+  message:
+    title: Review shell-enabled process call `${captures.issue.text}`
+    summary: "`${captures.issue.text}` enables shell interpretation via `shell=True`."
+  remediation:
+    summary: Use argument-list execution with `shell=False` by default, and only allow fixed commands when shell mode is unavoidable.

package/rules/ruby/ruby.security.rails-csrf-disabled.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Browser-facing Rails controllers should keep forgery protection enabled with a safe strategy.
   rationale: >-
     Skipping CSRF verification or downgrading to `null_session` lets attackers replay cross-site requests against authenticated sessions.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-352
+      title: Cross-Site Request Forgery (CSRF)
+    - kind: owasp
+      title: Cross-Site Request Forgery Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Ruby on Rails security guide
+      url: https://guides.rubyonrails.org/security.html
   tags:
     - security
     - ruby
@@ -43,3 +55,4 @@ emit:
   remediation:
     summary: >-
       Remove broad `skip_forgery_protection` usage, prefer `protect_from_forgery with: :exception`, and keep `verify_authenticity_token` enabled for state-changing browser actions.

package/rules/ruby/ruby.security.rails-detailed-exceptions-enabled.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Production environments should not enable local-style exception pages or verbose Action Dispatch exception rendering.
   rationale: >-
     Detailed exceptions leak stack traces, secrets, and implementation details that attackers can use to refine exploits.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+    - kind: url
+      title: Ruby on Rails security guide
+      url: https://guides.rubyonrails.org/security.html
   tags:
     - security
     - ruby
@@ -42,3 +54,4 @@ emit:
   remediation:
     summary: >-
       Set `consider_all_requests_local` and `show_detailed_exceptions` to safe defaults, route errors through monitored handlers, and keep `config.action_dispatch.show_exceptions` off verbose modes in production.

package/rules/ruby/ruby.security.rails-open-redirect.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Redirect helpers must not send users to hosts or paths derived directly from request input without validation.
   rationale: >-
     `redirect_to` and `redirect_back` calls that honor `params`, `request` URLs, or `allow_other_host: true` with tainted data are a common phishing and OAuth bypass vector.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-601
+      title: URL Redirection to Untrusted Site
+    - kind: owasp
+      title: Unvalidated Redirects and Forwards Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
+    - kind: url
+      title: Ruby on Rails security guide
+      url: https://guides.rubyonrails.org/security.html
   tags:
     - security
     - ruby
@@ -43,3 +55,4 @@ emit:
   remediation:
     summary: >-
       Use an allowlisted path helper, reject off-host targets, and avoid pairing `allow_other_host: true` with user-controlled URLs.

package/rules/ruby/ruby.security.rails-unsafe-html-output.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Do not mark request-driven strings as HTML safe or bypass sanitization in views or helpers.
   rationale: >-
     `raw`, `html_safe`, `sanitize: false`, and ERB double-equals disable escaping and commonly become reflected XSS sinks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Ruby on Rails security guide
+      url: https://guides.rubyonrails.org/security.html
   tags:
     - security
     - ruby
@@ -44,3 +56,4 @@ emit:
   remediation:
     summary: >-
       Prefer default escaping, pass sanitized fragments, or centralize HTML generation through a vetted sanitizer instead of `raw`/`html_safe`.

package/rules/ruby/ruby.security.rails-unsafe-render.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     `render` options such as `html:`, `plain:`, or `inline:` must not consume unvalidated request data.
   rationale: >-
     These render modes bypass templates and can reflect attacker-controlled markup or scripts when fed tainted strings.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Ruby on Rails security guide
+      url: https://guides.rubyonrails.org/security.html
   tags:
     - security
     - ruby
@@ -43,3 +55,4 @@ emit:
   remediation:
     summary: >-
       Prefer templates with escaping, sanitize any rich text, or map request identifiers to trusted server-side content instead of rendering raw params.

package/rules/ruby/ruby.security.rails-unsafe-session-or-cookie-store.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Session and signed cookie stores should not persist raw `params` blobs that attackers can influence.
   rationale: >-
     Writing `params` directly into `session` or `cookies` enables tampering, fixation, and oversized payload attacks unless additional integrity controls exist.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+    - kind: url
+      title: Ruby on Rails security guide
+      url: https://guides.rubyonrails.org/security.html
   tags:
     - security
     - ruby
@@ -43,3 +55,4 @@ emit:
   remediation:
     summary: >-
       Store opaque identifiers, use signed or encrypted cookie jars appropriately, and validate any user-derived values before persistence.

package/rules/ruby/ruby.security.rails-unsafe-strong-parameters.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Strong parameters and mass assignment sinks should not accept unfiltered request hashes or privileged attributes.
   rationale: >-
     Permissive `permit!`, privileged `permit` fields, and direct `params` mass assignment enable attackers to escalate privileges or overwrite protected columns.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+    - kind: url
+      title: Ruby on Rails security guide
+      url: https://guides.rubyonrails.org/security.html
   tags:
     - security
     - ruby
@@ -44,3 +56,4 @@ emit:
   remediation:
     summary: >-
       Replace `permit!` with an explicit attribute list, drop privileged symbols from `permit`, and route updates through vetted strong-parameter helpers instead of raw `params`.

package/rules/ruby/ruby.security.sensitive-data-egress.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Outbound HTTP helpers should not receive URLs or bodies directly from `params` or other tainted sources without validation.
   rationale: >-
     User-controlled egress enables SSRF, data exfiltration, and token theft when combined with open HTTP clients.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - ruby
@@ -43,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Allowlist hosts, strip secrets from outbound payloads, and route external calls through audited integration points.

package/rules/ruby/ruby.security.sidekiq-web-unauthenticated-mount.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Sidekiq Web must not be exposed on public routes without an authentication or network guard.
   rationale: >-
     Unauthenticated Sidekiq Web consoles expose queues and often lead to remote code execution via job replay or configuration changes.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
   tags:
     - security
     - ruby
@@ -43,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Wrap mounts in `authenticate`, add route constraints, use basic auth or VPN-only routing, and keep consoles off public networks.