@runsec/mcp 1.0.28 → 1.0.37

package/dist/data/skills/ru-regulatory/patterns.md

@@ -0,0 +1,28 @@
+| ID | Название метрики | Anti-Pattern (Vulnerable Code/YAML) | Safe-Pattern (Remediation) | Stack | Источник  fix_template | Exploit scenario |
+|---|---|---|---|---|---|---|
+| RRC-001 | 152-ФЗ: PII в stdout / внешние логи | `print(f"user={user.email}")`<br>`logger.info("pii", extra={"fio": fio, "snils": snils, "email": email})` | Использовать редактирование/маскирование до логирования (например, `redact_email`, `redact_snils`), а также уровень логов без PII по умолчанию. | Compliance/Regulatory | 152-ФЗ (PII in logs) | Использовать редактирование/маскирование до логирования (например, `redact_email`, `redact_snils`), а также уровень логов без PII по умолчанию. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-001 152 фз pii в stdout внешние логи print f user email logger info extra fio snils использовать редактирование маскирование до -->
+| RRC-002 | Data Residency: ПДн в зарубежные API без обезличивания | `requests.post("https://api.openai.com", json={"text": pii})`<br>`fetch("https://api.anthropic.com", { body: pii })` | Обезличить/агрегировать ПДн перед отправкой, отделить идентификаторы и payload, добавить контроль/аудит передачи данных. | Compliance/Regulatory | RU policy: residency & anonymization | Обезличить/агрегировать ПДн перед отправкой, отделить идентификаторы и payload, добавить контроль/аудит передачи данных. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-002 data residency пдн в зарубежные api без обезличивания requests post https openai com json text pii fetch anthropic body обезличить -->
+| RRC-003 | GOST: небезопасные/несертифицированные крипто-библиотеки | `from cryptography.hazmat.primitives.ciphers import Cipher`<br>`import Crypto.Cipher` | Использовать сертифицированные средства криптографии / GOST-совместимые библиотеки, соответствующие требованиям контура КИИ. | Compliance/Regulatory | RU KII: certified crypto requirement | Использовать сертифицированные средства криптографии / GOST-совместимые библиотеки, соответствующие требованиям контура КИИ. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-003 gost небезопасные несертифицированные крипто библиотеки from cryptography hazmat primitives ciphers import cipher crypto использовать сертифицированные средства криптографии совместимые соответствующие требованиям -->
+| RRC-004 | Import Substitution: hardcoded cloud metadata | `http://169.254.169.254/latest/meta-data/`<br>`AWS_INSTANCE_ID` (или запросы к IMDS) | Уйти от hardcoded metadata: использовать абстракции конфигурации/переменные окружения и единый механизм discovery для целевого облака. | Compliance/Regulatory | Import substitution: portability risk | Уйти от hardcoded metadata: использовать абстракции конфигурации/переменные окружения и единый механизм discovery для целевого облака. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-004 import substitution hardcoded cloud metadata http 169 254 latest meta data aws instance id или запросы к imds уйти от -->
+| RRC-005 | Foreign DNS/NTP | `nameserver 8.8.8.8`<br>`server pool.ntp.org iburst` | Использовать российские или внутренние корпоративные DNS/NTP резолверы (например, `10.0.0.53`, `ntp.local`). | Compliance/Regulatory | FSTEC/FSB hardening: trusted infra dependencies | Использовать российские или внутренние корпоративные DNS/NTP резолверы (например, `10.0.0.53`, `ntp.local`). | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-005 foreign dns ntp nameserver 8 server pool org iburst использовать российские или внутренние корпоративные резолверы например 10 0 53 local -->
+| RRC-006 | Insecure External Repositories | `pip install -i https://pypi.org/simple ...`<br>`npm config set registry https://registry.npmjs.org/` | В CI/CD разрешать только доверенные внутренние зеркала/репозитории артефактов (Nexus/Artifactory/internal registry). | Compliance/Regulatory | Supply-chain policy: trusted mirrors only | В CI/CD разрешать только доверенные внутренние зеркала/репозитории артефактов (Nexus/Artifactory/internal registry). | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-006 insecure external repositories pip install i https pypi org simple npm config set registry npmjs в ci cd разрешать только -->
+| RRC-007 | Information Leakage in Errors | `return {"error": str(e), "stack": traceback.format_exc()}` | Возвращать обобщенное сообщение пользователю; детали и stacktrace писать только во внутренние журналы. | Compliance/Regulatory | Secure error handling policy | Возвращать обобщенное сообщение пользователю; детали и stacktrace писать только во внутренние журналы. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-007 information leakage errors return error str e stack traceback format exc возвращать обобщенное сообщение пользователю детали и stacktrace писать только -->
+| RRC-008 | Missing Security Audit | `except AuthError:`<br>`    return {"ok": False}` | Централизованно логировать неудачные входы, смену паролей и чувствительные события безопасности (SIEM/audit bus). | Compliance/Regulatory | Security audit logging requirement | Централизованно логировать неудачные входы, смену паролей и чувствительные события безопасности (SIEM/audit bus). | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-008 missing security audit except autherror return ok false централизованно логировать неудачные входы смену паролей и чувствительные события безопасности siem bus -->
+| RRC-009 | Unsigned binary execution | `subprocess.run(["/opt/bin/tool"])` | Перед запуском проверять цифровую подпись/доверенную цепочку и хэш (особенно на критических узлах). | Compliance/Regulatory | Critical node integrity policy | Перед запуском проверять цифровую подпись/доверенную цепочку и хэш (особенно на критических узлах). | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-009 unsigned binary execution subprocess run opt bin tool перед запуском проверять цифровую подпись доверенную цепочку и хэш особенно на критических -->
+| RRC-010 | Insecure Data Deletion | `os.remove(pii_file)` | Перед удалением перезаписать файл нулями/случайными данными, затем удалить (`fsync` + `remove`) с учетом политики хранения. | Compliance/Regulatory | `CWE-226` | Перед удалением перезаписать файл нулями/случайными данными, затем удалить (`fsync` + `remove`) с учетом политики хранения. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-010 insecure data deletion os remove pii file перед удалением перезаписать файл нулями случайными данными затем удалить fsync с учетом политики -->
+| RRC-011 | Banned Functions (Security Policy) | `os.system(user_cmd)`<br>`subprocess.Popen(user_cmd, shell=True)` | Использовать `subprocess.run([...], shell=False, check=True)` с фиксированным whitelist аргументов. | Compliance/Regulatory | `CWE-676` | Использовать `subprocess.run([...], shell=False, check=True)` с фиксированным whitelist аргументов. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-011 banned functions security policy os system user cmd subprocess popen shell true использовать run false check с фиксированным whitelist аргументов -->
+| RRC-012 | Missing Config Integrity Check | `settings = json.load(open("config.json"))` | Проверять SHA-256/HMAC целостность конфигурации при старте; при mismatch — fail closed и аудит-событие. | Compliance/Regulatory | `CWE-353` | Проверять SHA-256/HMAC целостность конфигурации при старте; при mismatch — fail closed и аудит-событие. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-012 missing config integrity check settings json load open проверять sha 256 hmac целостность конфигурации при старте mismatch fail closed и -->
+| RRC-013 | ГОСТ 57580.1 / ЦБ: "мясные" учетки вместо УДИ/УДА токенов | `KEYCLOAK_USER=admin`<br>`KEYCLOAK_PASSWORD=admin123`<br>`auth = {"user": "...", "pass": "..."}` | Использовать токены УДИ/УДА (OIDC/OAuth2, client credentials, mTLS-bound tokens), запрет static user/pass в интеграциях и сервис-аккаунтах. | Compliance/Regulatory | ГОСТ 57580.1, требования ЦБ по ИАМ/идентификации | Использовать токены УДИ/УДА (OIDC/OAuth2, client credentials, mTLS-bound tokens), запрет static user/pass в интеграциях и сервис-аккаунтах. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-013 gost 57580 цб мясные учетки user pass вместо уди уда токенов keycloak password auth использовать oidc oauth2 client credentials mtls bound -->
+| RRC-014 | ЦБ: Недостаточная аутентификация интеграций (нет токен-ротации) | `token = "hardcoded-long-lived"`<br>`expires_in = 99999999` | Обязательная короткоживущая токен-модель, ротация, revoke/introspection, аудит выдачи и использования токенов. | Compliance/Regulatory | Внутренние стандарты ЦБ ИБ (токены и жизненный цикл) | Обязательная короткоживущая токен-модель, ротация, revoke/introspection, аудит выдачи и использования токенов. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-014 цб недостаточная аутентификация интеграций нет токен ротации token hardcoded long lived expires in обязательная короткоживущая модель revoke introspection аудит -->
+| RRC-015 | FAPI.SEC/PAOK: запрет Implicit Flow, обязательный Code+PKCE+mTLS | `response_type=token`<br>`grant_type=implicit`<br>`curl https://idp/token` (без mTLS client cert) | Использовать Authorization Code Flow + PKCE, а для межсервисного взаимодействия включать mTLS (client cert/key) и проверку FAPI-профиля. | Compliance/Regulatory | FAPI Security Profile, ГОСТ 57580.1 | Использовать Authorization Code Flow + PKCE, а для межсервисного взаимодействия включать mTLS (client cert/key) и проверку FAPI-профиля. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-015 fapi paok implicit flow запрет authorization code pkce mtls client cert key gost 57580 -->
+| RRC-016 | Docker Root: запуск контейнера от root | `# Dockerfile`<br>`FROM python:3.11`<br>`USER root` или отсутствие `USER` | Явно создавать непривилегированного пользователя и переключаться на него (`RUN useradd -m appuser`, `USER appuser`). | Compliance/Regulatory | Docker CIS + ГОСТ 57580.1 hardening | Явно создавать непривилегированного пользователя и переключаться на него (`RUN useradd -m appuser`, `USER appuser`). | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-016 docker root user root отсутствие user dockerfile non root appuser gost 57580 -->
+| RRC-017 | Vault/ESO: запрет hardcoded Secret, требование ExternalSecret | `kind: Secret`<br>`stringData:`<br>`  password: plain-text` | Использовать `kind: ExternalSecret` (ESO) + backend Vault; исключить plaintext секреты в Git/YAML. | Compliance/Regulatory | Vault policy + ESO + ГОСТ 57580.1 | Использовать `kind: ExternalSecret` (ESO) + backend Vault; исключить plaintext секреты в Git/YAML. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-017 vault eso externalsecret kind secret stringdata plain text injection from vault gost 57580 -->
+| RRC-018 | Tech Stack: запрет drop-технологий в новых сервисах | `FROM python:3.9`<br>`php:7.4-fpm` | Для новых микросервисов использовать поддерживаемый стек (Python >= 3.10, без legacy PHP), фиксировать baseline в архитектурном стандарте. | Compliance/Regulatory | Internal tech baseline / Клинкер | Для новых микросервисов использовать поддерживаемый стек (Python >= 3.10, без legacy PHP), фиксировать baseline в архитектурном стандарте. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-018 tech stack drop technologies python 3 9 php legacy clinker baseline -->
+| RRC-019 | Клинкер/Keycloak: обязательный auth middleware для внутренних API | `@app.get("/internal/payments")`<br>`def handler(): ...` (без `VerifyToken`) | Все внутренние API должны проходить через middleware аутентификации Keycloak (`VerifyToken`/аналог), deny-by-default. | Compliance/Regulatory | Keycloak middleware policy / Клинкер / ГОСТ 57580.1 | Все внутренние API должны проходить через middleware аутентификации Keycloak (`VerifyToken`/аналог), deny-by-default. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-019 clinker keycloak verifytoken middleware internal api gost 57580 mtls -->
+| RRC-020 | Целостность КИИ: контрольные суммы исполняемых файлов и конфигов перед стартом | `app = load_binary("/opt/bin/service")`<br>`config = open("/etc/service/config.yaml").read()` | Перед запуском проверять SHA-256/ГОСТ-хэш исполняемого файла и критичных конфигов; при mismatch — fail closed и аудит-событие (Приказ 239). | Compliance/Regulatory | Приказ ФСТЭК №239, ГОСТ Р 56939 | Перед запуском проверять SHA-256/ГОСТ-хэш исполняемого файла и критичных конфигов; при mismatch — fail closed и аудит-событие (Приказ 239). | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-020 целостность кии checksum sha256 гост hash приказ 239 binary config integrity -->
+| RRC-021 | СЗИ-контроль: отсутствие проверки состояния AV/IDS в контуре | `start_service()`<br>`# no AV/IDS health check` | Перед запуском проверять наличие и работоспособность СЗИ (антивирус, IDS/IPS, EDR агент), логировать статус и блокировать старт при критическом отказе. | Compliance/Regulatory | Приказ ФСТЭК №235/239 | Перед запуском проверять наличие и работоспособность СЗИ (антивирус, IDS/IPS, EDR агент), логировать статус и блокировать старт при критическом отказе. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-021 сзи antivirus ids ips edr health check приказ 235 239 кии -->
+| RRC-022 | SDL/ГОСТ Р 56939: результаты статанализа не фиксируются в логах сборки | `ci_stage(\"build\")`<br>`run_semgrep()`<br>`# result not persisted` | Обязательная фиксация результатов SAST/SCA в артефактах CI (лог/отчет), подпись и хранение для аудита SDL по ГОСТ Р 56939. | Compliance/Regulatory | ГОСТ Р 56939, ФСТЭК SDL practice | Обязательная фиксация результатов SAST/SCA в артефактах CI (лог/отчет), подпись и хранение для аудита SDL по ГОСТ Р 56939. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-022 sdl gost 56939 static analysis semgrep syft ci logs artifacts audit -->
+| RRC-023 | Key Rotation: отсутствует `rotation_period` в Vault/KMS политиках | `key_policy = {"name": "payments-key"}`<br>`# no rotation_period` | Для криптографических ключей задать и контролировать `rotation_period`, автоматическую ротацию и журналировать события смены ключей. | Compliance/Regulatory | NIST SP 800-57, ЦБ 683-П | Для криптографических ключей задать и контролировать `rotation_period`, автоматическую ротацию и журналировать события смены ключей. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-023 key rotation rotation_period vault kms nist 800-57 cb 683-p -->
+| RRC-024 | Anti-Overlay/Integrity: нет CSP и контроля целостности UI | `<script src="https://cdn.example.com/widget.js"></script>`<br>`# no Content-Security-Policy` | Включить строгий CSP, SRI для внешних скриптов и проверки целостности DOM/critical forms для защиты ДБО от overlay/injection атак. | Compliance/Regulatory | ЦБ 683-П | Включить строгий CSP, SRI для внешних скриптов и проверки целостности DOM/critical forms для защиты ДБО от overlay/injection атак. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-024 anti-overlay integrity csp sri dom frontend react vue 683-p -->
+| RRC-025 | Payment Control: неизменность реквизитов между create и sign не контролируется | `payment.amount = req.amount`<br>`sign(payment)`<br>`# payload can change before signing` | Фиксировать hash реквизитов на этапе create и сравнивать перед sign/submit; при несовпадении — reject + audit event. | Compliance/Regulatory | ЦБ 719-П | Фиксировать hash реквизитов на этапе create и сравнивать перед sign/submit; при несовпадении — reject + audit event. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-025 payment control create sign integrity hash requisites cb 719-p -->
+| RRC-026 | Post-Quantum Readiness: отсутствует стратегия крипто-миграции | `crypto_profile = "rsa2048-only"` | Вести инвентаризацию криптопримитивов, план гибридных схем и процедуру миграции ключей/сертификатов под PQ-ready профиль. | Compliance/Regulatory | NIST SP 800-57 migration guidance | Вести инвентаризацию криптопримитивов, план гибридных схем и процедуру миграции ключей/сертификатов под PQ-ready профиль. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: rrc-026 post-quantum readiness crypto migration hybrid keys certificates nist 800-57 -->

package/dist/data/skills/ru-regulatory/skill.json

@@ -0,0 +1,53 @@
+{
+  "skill_id": "ru-regulatory",
+  "name": "RU Regulatory (152-FZ / КИИ)",
+  "activation_triggers": [
+    "rrc-152fz-pdn",
+    "rrc-1c-personal-data",
+    "rrc-gost-crypto",
+    "rrc-data-residency-ru",
+    "rrc-secure-delete",
+    "cb-683-p",
+    "cb-719-p",
+    "fstek-kii",
+    "post-quantum"
+  ],
+  "relevant_extensions": [
+    ".py",
+    ".cs",
+    ".1c",
+    ".bsl",
+    ".xml",
+    ".json",
+    ".yaml",
+    ".yml",
+    ".js",
+    ".ts",
+    ".tsx",
+    ".html",
+    ".dockerfile",
+    "dockerfile",
+    "deployment.yaml",
+    "externalsecret.yaml"
+  ],
+  "tools": [
+    "semgrep",
+    "syft",
+    "trufflehog"
+  ],
+  "rules_path": "core/skills/ru-regulatory/patterns.md",
+  "few_shot_examples": "core/gold-standard-testbed/ru_regulatory_vulnerable.py",
+  "mitigation_logic": {
+    "RRC-008": {
+      "exception_rule": "Если в deployment.yaml или в директории infra/ обнаружены конфигурации Fluentbit, Logstash или SIEM endpoint-интеграции, отсутствие локального audit_logger.py классифицируется как допустимое отклонение.",
+      "status_override": "OK",
+      "rationale": "Централизованный аудит на уровне инфраструктуры покрывает требования audit trail без обязательного локального файла аудита в кодовой базе сервиса."
+    },
+    "RRC-001": {
+      "exception_rule": "IP-адреса и Session ID в контексте Security/Auth журналов не классифицируются как нарушение 152-ФЗ.",
+      "masking_policy": "Обязательному маскированию подлежат Email и ФИО; IP и Session ID сохраняются для целей расследования инцидентов и корреляции событий.",
+      "status_adjustment": "Не формировать finding по IP/Session ID при подтвержденном security/audit контексте записи."
+    }
+  },
+  "security_priority": 10
+}

package/dist/data/skills/ruby-rails/index.md

@@ -0,0 +1,65 @@
+# Ruby / Rails
+
+## Stack overview
+
+**Rails**-style controllers and Ruby idioms: `eval`, YAML, mass assignment, redirects, and SSRF. Metrics are prefixed **`RUBY`**.
+
+## Top threats
+
+- Code/command injection and ERB (`RUBY-001`–`RUBY-003`, `RUBY-006`, `RUBY-012`).
+- Unsafe YAML and mass assignment (`RUBY-008`–`RUBY-011`).
+- Open redirect, cookies, SSRF (`RUBY-013`–`RUBY-014`, `RUBY-017`).
+
+## Pattern catalog
+
+Complete Anti-Pattern / Safe-Pattern definitions live in [`patterns.md`](patterns.md). The table below is a **table of contents** by metric ID.
+
+| ID | Metric | Stack |
+|---|---|---|
+| `RUBY-001` | Ruby Code Injection: `eval(params[:expr])` | `expr = params[:expr]` `raise "invalid" unless expr =~ /\\A[0-9+\\-*\\/(). ]{1,64}\\z/` `...` `result = safe_math_eval(expr)` |
+| `RUBY-002` | Command Injection: `system(params[:cmd])` | `action = params[:action]` `allowed = { "uptime" => ["uptime"] }` `raise "blocked" unless allowed.key?(action)` `...` `Open3.capture2e(*allowed[action])` |
+| `RUBY-003` | Shell Injection: backticks with user input | `host = params[:host]` `raise "invalid" unless host =~ /\\A[a-zA-Z0-9.-]{1,255}\\z/` `...` `out, _ = Open3.capture2e("ping", "-c", "1", host)` |
+| `RUBY-004` | Unsafe Constantize: класс из params | `allow = { "HealthHandler" => HealthHandler }` `key = params[:klass]` `raise "blocked" unless allow.key?(key)` `...` `allow[key].new.call` |
+| `RUBY-005` | Unsafe `send` from user method name | `method = params[:method]` `allowed = %w[health status]` `raise "blocked" unless allowed.include?(method)` `...` `service.public_send(method)` |
+| `RUBY-006` | ERB Injection: шаблон из пользовательского ввода | `name = params[:template_name]` `allowed = %w[welcome invoice]` `raise "blocked" unless allowed.include?(name)` `...` `render template: "safe/#{name}"` |
+| `RUBY-007` | SQL Fragment Injection: dynamic ORDER BY | `order = params[:order]` `order = "name" unless %w[name created_at].include?(order)` `...` `User.order(order)` |
+| `RUBY-008` | Unsafe YAML deserialization in command flow | `blob = params[:blob]` `...` `obj = YAML.safe_load(blob, permitted_classes: [], aliases: false)` |
+| `RUBY-009` | Mass Assignment: критичные поля принимаются напрямую из params | `allowed = params.require(:user).permit(:email, :display_name)` `user.update(allowed)` |
+| `RUBY-010` | Unsafe Render Path: путь шаблона из пользовательского ввода | `name = params[:name]` `raise "blocked" unless %w[home about].include?(name)` `render template: "pages/#{name}"` |
+| `RUBY-011` | YAML.load Deserialization: небезопасная загрузка объектов | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` |
+| `RUBY-012` | Command Injection через backticks | `allowed = {"uptime" => ["uptime"]}` `cmd = params[:action]` `raise "blocked" unless allowed.key?(cmd)` `Open3.capture2e(*allowed[cmd])` |
+| `RUBY-013` | Open Redirect в контроллере | `next_url = params[:next]` `next_url = root_path unless next_url&.start_with?("/")` `redirect_to next_url` |
+| `RUBY-014` | Insecure Cookies: отсутствие HttpOnly/Secure | `cookies[:session] = { value: token, httponly: true, secure: true, same_site: :strict }` |
+| `RUBY-015` | Hardcoded Secret in initializer | `JWT_SECRET = ENV.fetch("JWT_SECRET")` |
+| `RUBY-016` | Weak Crypto Digest (MD5/SHA1) | `Digest::SHA256.hexdigest(password + salt)` |
+| `RUBY-017` | SSRF через Net::HTTP на URL из params | `uri = URI(params[:url])` `raise "blocked" unless ALLOWED_HOSTS.include?(uri.host)` `Net::HTTP.get(uri)` |
+| `RUBY-018` | Unsafe Constantize from params | `allow = {"ReportJob" => ReportJob}` `klass = allow.fetch(params[:klass])` |
+| `RUBY-019` | Debug endpoint in production | `if Rails.env.development?` `  get "/debug/env", to: "debug#env"` `end` |
+| `RUBY-020` | Sensitive error leakage наружу | `Rails.logger.error(e.full_message)` `render json: { error: "internal server error" }, status: 500` |
+
+## Verification
+
+**Verification:** Check the gold testbed file(s) below for `Vulnerable: <ID>` markers (static Semgrep + `detection-matrix.md` ground truth).
+
+- [`gold-standard-testbed/multi_lang_vulnerable/ruby_vulnerable.rb`](../gold-standard-testbed/multi_lang_vulnerable/ruby_vulnerable.rb)
+
+After changing [`patterns.md`](patterns.md), run from the repo root:
+
+```bash
+python scripts/sync_semgrep.py
+```
+
+## Workflow: Recon → Scan → Verify
+
+### 1) Recon
+- Map entrypoints, data flows, and trust boundaries for this stack.
+- Identify which metrics in [`patterns.md`](patterns.md) apply to the code under review.
+
+### 2) Scan
+- Run Semgrep with `semgrep-rules/<skill>.yaml` (generated) and correlate with Anti-Patterns.
+- Eliminate findings that cannot bind to a metric row.
+
+### 3) Verify
+- Confirm markers or scanner hits for touched IDs in the gold testbed when adding metrics.
+- Emit findings as `Vulnerable: <PREFIX>-<NNN>` in written reviews.
+

package/dist/data/skills/ruby-rails/patterns.md

@@ -0,0 +1,172 @@
+| ID | Название метрики | Anti-Pattern (Vulnerable Code/YAML) | Safe-Pattern (Remediation) | Stack | Источник  fix_template | Exploit scenario |
+|---|---|---|---|---|---|---|
+| RUBY-001 | Ruby Code Injection: `eval(params[:expr])` | `expr = params[:expr]`<br>`...`<br>`result = eval(expr)` | `expr = params[:expr]`<br>`raise "invalid" unless expr =~ /\\A[0-9+\\-*\\/(). ]{1,64}\\z/`<br>`...`<br>`result = safe_math_eval(expr)` | Ruby/Rails | `CWE-94` | `expr = params[:expr]` `raise "invalid" unless expr =~ /\\A[0-9+\\-*\\/(). ]{1,64}\\z/` `...` `result = safe_math_eval(expr)` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ruby-001 ruby injection eval params expr result raise invalid unless a 0 9 1 64 z math -->
+| RUBY-002 | Command Injection: `system(params[:cmd])` | `cmd = params[:cmd]`<br>`...`<br>`system(cmd)` | `action = params[:action]`<br>`allowed = { "uptime" => ["uptime"] }`<br>`raise "blocked" unless allowed.key?(action)`<br>`...`<br>`Open3.capture2e(*allowed[action])` | Ruby/Rails | `CWE-78` | `action = params[:action]` `allowed = { "uptime" => ["uptime"] }` `raise "blocked" unless allowed.key?(action)` `...` `Open3.capture2e(*allowed[action])` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ruby-002 command injection system params cmd action allowed uptime raise blocked unless key open3 capture2e -->
+| RUBY-003 | Shell Injection: backticks with user input | `host = params[:host]`<br>`...`<br>``out = `ping -c 1 #{host}` `` | `host = params[:host]`<br>`raise "invalid" unless host =~ /\\A[a-zA-Z0-9.-]{1,255}\\z/`<br>`...`<br>`out, _ = Open3.capture2e("ping", "-c", "1", host)` | Ruby/Rails | `CWE-77` | `host = params[:host]` `raise "invalid" unless host =~ /\\A[a-zA-Z0-9.-]{1,255}\\z/` `...` `out, _ = Open3.capture2e("ping", "-c", "1", host)` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ruby-003 shell injection backticks with user input host params out ping c 1 raise invalid unless a za z0 9 255 -->
+| RUBY-004 | Unsafe Constantize: класс из params | `klass = params[:klass].constantize`<br>`...`<br>`klass.new.call` | `allow = { "HealthHandler" => HealthHandler }`<br>`key = params[:klass]`<br>`raise "blocked" unless allow.key?(key)`<br>`...`<br>`allow[key].new.call` | Ruby/Rails | `CWE-470` | `allow = { "HealthHandler" => HealthHandler }` `key = params[:klass]` `raise "blocked" unless allow.key?(key)` `...` `allow[key].new.call` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ruby-004 unsafe constantize класс из params klass new call allow healthhandler key raise blocked unless -->
+| RUBY-005 | Unsafe `send` from user method name | `method = params[:method]`<br>`...`<br>`service.send(method)` | `method = params[:method]`<br>`allowed = %w[health status]`<br>`raise "blocked" unless allowed.include?(method)`<br>`...`<br>`service.public_send(method)` | Ruby/Rails | `CWE-74` | `method = params[:method]` `allowed = %w[health status]` `raise "blocked" unless allowed.include?(method)` `...` `service.public_send(method)` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ruby-005 unsafe send from user method name params service allowed w health status raise blocked unless include public -->
+| RUBY-006 | ERB Injection: шаблон из пользовательского ввода | `tpl = params[:template]`<br>`...`<br>`ERB.new(tpl).result(binding)` | `name = params[:template_name]`<br>`allowed = %w[welcome invoice]`<br>`raise "blocked" unless allowed.include?(name)`<br>`...`<br>`render template: "safe/#{name}"` | Ruby/Rails | `CWE-94` | `name = params[:template_name]` `allowed = %w[welcome invoice]` `raise "blocked" unless allowed.include?(name)` `...` `render template: "safe/#{name}"` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ruby-006 erb injection шаблон из пользовательского ввода tpl params template new result binding name allowed w welcome invoice raise blocked unless -->
+| RUBY-007 | SQL Fragment Injection: dynamic ORDER BY | `order = params[:order]`<br>`...`<br>`User.order(order)` | `order = params[:order]`<br>`order = "name" unless %w[name created_at].include?(order)`<br>`...`<br>`User.order(order)` | Ruby/Rails | `CWE-74` | `order = params[:order]` `order = "name" unless %w[name created_at].include?(order)` `...` `User.order(order)` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ruby-007 sql fragment injection dynamic order by params user name unless w created at include -->
+| RUBY-008 | Unsafe YAML deserialization in command flow | `blob = params[:blob]`<br>`...`<br>`obj = YAML.load(blob)` | `blob = params[:blob]`<br>`...`<br>`obj = YAML.safe_load(blob, permitted_classes: [], aliases: false)` | Ruby/Rails | `CWE-95` | `blob = params[:blob]` `...` `obj = YAML.safe_load(blob, permitted_classes: [], aliases: false)` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ruby-008 unsafe deserialization command flow blob params obj load permitted classes aliases false -->
+| RUBY-009 | Mass Assignment: критичные поля принимаются напрямую из params | `user.update(params[:user])` | `allowed = params.require(:user).permit(:email, :display_name)`<br>`user.update(allowed)` | Ruby/Rails | `CWE-915` | `allowed = params.require(:user).permit(:email, :display_name)` `user.update(allowed)` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ruby-009 mass assignment критичные поля принимаются напрямую из params user update allowed require permit email display name -->
+| RUBY-010 | Unsafe Render Path: путь шаблона из пользовательского ввода | `render file: params[:path]` | `name = params[:name]`<br>`raise "blocked" unless %w[home about].include?(name)`<br>`render template: "pages/#{name}"` | Ruby/Rails | `CWE-22` | `name = params[:name]` `raise "blocked" unless %w[home about].include?(name)` `render template: "pages/#{name}"` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ruby-010 unsafe render path путь шаблона из пользовательского ввода file params name raise blocked unless w home about include template pages -->
+| RUBY-011 | YAML.load Deserialization: небезопасная загрузка объектов | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | `CWE-502` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ruby-011 load deserialization небезопасная загрузка объектов obj params payload permitted classes aliases false -->
+| RUBY-012 | Command Injection через backticks | `out = %x(#{params[:cmd]})` | `allowed = {"uptime" => ["uptime"]}`<br>`cmd = params[:action]`<br>`raise "blocked" unless allowed.key?(cmd)`<br>`Open3.capture2e(*allowed[cmd])` | Ruby/Rails | `CWE-78` | `allowed = {"uptime" => ["uptime"]}` `cmd = params[:action]` `raise "blocked" unless allowed.key?(cmd)` `Open3.capture2e(*allowed[cmd])` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ruby-012 command injection через backticks out x params cmd allowed uptime action raise blocked unless key open3 capture2e -->
+| RUBY-013 | Open Redirect в контроллере | `redirect_to params[:next]` | `next_url = params[:next]`<br>`next_url = root_path unless next_url&.start_with?("/")`<br>`redirect_to next_url` | Ruby/Rails | `CWE-601` | `next_url = params[:next]` `next_url = root_path unless next_url&.start_with?("/")` `redirect_to next_url` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ruby-013 open redirect в контроллере to params next url root path unless start with -->
+| RUBY-014 | Insecure Cookies: отсутствие HttpOnly/Secure | `cookies[:session] = token` | `cookies[:session] = { value: token, httponly: true, secure: true, same_site: :strict }` | Ruby/Rails | `CWE-614` | `cookies[:session] = { value: token, httponly: true, secure: true, same_site: :strict }` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ruby-014 insecure cookies отсутствие httponly secure session token value true same site strict -->
+| RUBY-015 | Hardcoded Secret in initializer | `JWT_SECRET = "prod-secret-123"` | `JWT_SECRET = ENV.fetch("JWT_SECRET")` | Ruby/Rails | `CWE-798` | `JWT_SECRET = ENV.fetch("JWT_SECRET")` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ruby-015 hardcoded secret initializer jwt prod 123 env fetch -->
+| RUBY-016 | Weak Crypto Digest (MD5/SHA1) | `Digest::MD5.hexdigest(password)` | `Digest::SHA256.hexdigest(password + salt)` | Ruby/Rails | `CWE-327` | `Digest::SHA256.hexdigest(password + salt)` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ruby-016 weak crypto digest md5 sha1 hexdigest password sha256 salt -->
+| RUBY-017 | SSRF через Net::HTTP на URL из params | `uri = URI(params[:url])`<br>`Net::HTTP.get(uri)` | `uri = URI(params[:url])`<br>`raise "blocked" unless ALLOWED_HOSTS.include?(uri.host)`<br>`Net::HTTP.get(uri)` | Ruby/Rails | `CWE-918` | `uri = URI(params[:url])` `raise "blocked" unless ALLOWED_HOSTS.include?(uri.host)` `Net::HTTP.get(uri)` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ruby-017 ssrf через net http на url из params uri get raise blocked unless allowed hosts include host -->
+| RUBY-018 | Unsafe Constantize from params | `klass = params[:klass].constantize` | `allow = {"ReportJob" => ReportJob}`<br>`klass = allow.fetch(params[:klass])` | Ruby/Rails | `CWE-470` | `allow = {"ReportJob" => ReportJob}` `klass = allow.fetch(params[:klass])` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ruby-018 unsafe constantize from params klass allow reportjob fetch -->
+| RUBY-019 | Debug endpoint in production | `get "/debug/env", to: proc { [200, {}, [ENV.to_h.to_s]] }` | `if Rails.env.development?`<br>`  get "/debug/env", to: "debug#env"`<br>`end` | Ruby/Rails | `CWE-489` | `if Rails.env.development?` `  get "/debug/env", to: "debug#env"` `end` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ruby-019 debug endpoint production get env to proc 200 h s if rails development end -->
+| RUBY-020 | Sensitive error leakage наружу | `render json: { error: e.message, backtrace: e.backtrace }, status: 500` | `Rails.logger.error(e.full_message)`<br>`render json: { error: "internal server error" }, status: 500` | Ruby/Rails | `CWE-209` | `Rails.logger.error(e.full_message)` `render json: { error: "internal server error" }, status: 500` | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: ruby-020 sensitive error leakage наружу render json e message backtrace status 500 rails logger full internal server -->
+| RUBYX-021 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-022 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-023 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-024 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-025 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-026 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-027 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-028 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-029 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-030 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-031 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-032 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-033 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-034 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-035 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-036 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-037 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-038 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-039 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-040 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-041 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-042 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-043 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-044 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-045 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-046 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-047 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-048 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-049 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-050 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-051 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-052 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-053 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-054 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-055 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-056 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-057 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-058 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-059 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-060 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-061 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-062 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-063 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-064 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-065 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-066 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-067 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-068 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-069 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-070 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-071 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-072 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-073 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-074 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-075 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-076 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-077 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-078 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-079 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-080 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-081 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-082 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-083 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-084 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-085 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-086 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-087 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-088 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-089 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-090 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-091 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-092 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-093 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-094 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-095 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-096 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-097 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-098 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-099 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-100 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-101 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-102 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-103 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-104 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-105 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-106 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-107 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-108 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-109 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-110 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-111 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-112 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-113 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-114 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-115 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-116 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-117 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-118 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-119 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-120 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-121 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-122 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-123 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-124 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-125 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-126 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-127 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-128 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-129 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-130 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-131 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-132 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-133 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-134 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-135 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-136 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-137 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-138 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-139 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-140 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-141 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-142 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-143 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-144 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-145 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-146 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-147 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-148 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-149 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-150 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-151 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-152 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-153 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-154 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-155 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-156 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-157 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-158 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-159 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-160 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-161 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-162 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-163 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-164 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-165 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |
+| RUBYX-166 | Rails mass assignment on ActiveRecord model (Logic: strong) | `user.update(params[:user])` | `user.update(params.require(:user).permit(:email, :display_name))` | Ruby/Rails | CWE-915 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Unfiltered params permit privilege field overwrite. |
+| RUBYX-167 | Rails insecure dynamic render from params | `render file: params[:path]` | `render template: "pages/#{safe_name}"` | Ruby/Rails | CWE-22 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Dynamic path rendering can lead to file traversal and sensitive template disclosure. |
+| RUBYX-168 | Ruby YAML.load on user payload | `obj = YAML.load(params[:payload])` | `obj = YAML.safe_load(params[:payload], permitted_classes: [], aliases: false)` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | YAML object deserialization can invoke attacker-controlled classes. |
+| RUBYX-169 | Ruby Marshal.load on untrusted blob | `obj = Marshal.load(Base64.decode64(params[:blob]))` | `obj = JSON.parse(Base64.decode64(params[:blob]))` | Ruby/Rails | CWE-502 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Marshal payload can trigger gadget chain execution. |
+| RUBYX-170 | Rails object-level authorization bypass by id (Logic: strong) | `order = Order.find(params[:id])` | `order = current_user.orders.find(params[:id])` | Ruby/Rails | CWE-639 | Autofix: enforce strong params, ownership scoping, and safe deserialization APIs. | Direct object lookup by id allows cross-account data access. |

package/dist/data/skills/ruby-rails/skill.json

@@ -0,0 +1,24 @@
+{
+  "skill_id": "ruby-rails",
+  "name": "Ruby / Rails Security",
+  "activation_triggers": [
+    "ruby-rails-mass-assign",
+    "ruby-yaml-load",
+    "ruby-open-redirect",
+    "ruby-ssrf-nethttp",
+    "ruby-cookie-secret"
+  ],
+  "relevant_extensions": [
+    ".rb",
+    ".erb",
+    ".yml"
+  ],
+  "tools": [
+    "semgrep",
+    "syft",
+    "trufflehog"
+  ],
+  "rules_path": "core/skills/ruby-rails/patterns.md",
+  "few_shot_examples": "core/gold-standard-testbed/multi_lang_vulnerable/ruby_vulnerable.rb",
+  "security_priority": 5
+}