getdoorman 1.0.0

package/src/rules/security/ruby.js

@@ -0,0 +1,1061 @@
+/**
+ * Ruby Security Rules (SEC-RUBY-001 through SEC-RUBY-060)
+ *
+ * Each rule scans Ruby source files for security vulnerabilities.
+ */
+
+const isRuby = (f) => f.endsWith('.rb');
+
+const SKIP_PATH = /[/\\](test|tests|__tests__|__mocks__|mocks|fixtures|__fixtures__|spec|__snapshots__|node_modules|vendor|dist|build)[/\\]/i;
+const COMMENT_LINE = /^\s*(#)/;
+
+function scanLines(content, regex, file, rule) {
+  const findings = [];
+  const lines = content.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (COMMENT_LINE.test(line)) continue;
+    if (regex.test(line)) {
+      findings.push({
+        ruleId: rule.id,
+        category: rule.category,
+        severity: rule.severity,
+        title: rule.title,
+        description: rule.description,
+        confidence: rule.confidence,
+        file,
+        line: i + 1,
+        fix: rule.fix || null,
+      });
+    }
+  }
+  return findings;
+}
+
+function checkRuby(rule, files, ...patterns) {
+  const findings = [];
+  for (const [path, content] of files) {
+    if (SKIP_PATH.test(path)) continue;
+    if (isRuby(path)) {
+      for (const p of patterns) {
+        findings.push(...scanLines(content, p, path, rule));
+      }
+    }
+  }
+  return findings;
+}
+
+const rules = [
+  // ===========================================================================
+  // Rails SQL Injection (001–010)
+  // ===========================================================================
+
+  // SEC-RUBY-001: SQL injection via string interpolation in where clause
+  {
+    id: 'SEC-RUBY-001',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via String Interpolation in where()',
+    description: 'Using string interpolation inside ActiveRecord where() allows SQL injection.',
+    fix: { suggestion: 'Use parameterized where: where("col = ?", value) or where(col: value).' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /\.where\s*\(\s*["'].*#\{/,
+      );
+    },
+  },
+
+  // SEC-RUBY-002: SQL injection via string concatenation in where clause
+  {
+    id: 'SEC-RUBY-002',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via String Concatenation in where()',
+    description: 'Concatenating user input into ActiveRecord where() enables SQL injection.',
+    fix: { suggestion: 'Use parameterized queries instead of string concatenation.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /\.where\s*\(\s*["'].*["']\s*\+/,
+      );
+    },
+  },
+
+  // SEC-RUBY-003: Raw SQL execution with interpolation
+  {
+    id: 'SEC-RUBY-003',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Raw SQL with String Interpolation',
+    description: 'Using execute() or select_all() with interpolated strings allows SQL injection.',
+    fix: { suggestion: 'Use sanitize_sql_array or parameterized queries.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /(?:execute|select_all|select_one|select_value)\s*\(\s*["'].*#\{/,
+      );
+    },
+  },
+
+  // SEC-RUBY-004: SQL injection via find_by_sql
+  {
+    id: 'SEC-RUBY-004',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection via find_by_sql',
+    description: 'Using find_by_sql with string interpolation allows SQL injection.',
+    fix: { suggestion: 'Use parameterized find_by_sql: find_by_sql(["SELECT ... WHERE id = ?", id]).' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /find_by_sql\s*\(\s*["'].*#\{/,
+      );
+    },
+  },
+
+  // SEC-RUBY-005: SQL injection via order clause
+  {
+    id: 'SEC-RUBY-005',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'SQL Injection via order()',
+    description: 'Passing user input directly to order() can allow SQL injection.',
+    fix: { suggestion: 'Whitelist allowed columns and directions for ordering.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /\.order\s*\(\s*["'].*#\{/,
+      );
+    },
+  },
+
+  // SEC-RUBY-006: SQL injection via group clause
+  {
+    id: 'SEC-RUBY-006',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'SQL Injection via group()',
+    description: 'Passing user input to group() enables SQL injection.',
+    fix: { suggestion: 'Whitelist allowed column names for grouping.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /\.group\s*\(\s*["'].*#\{/,
+      );
+    },
+  },
+
+  // SEC-RUBY-007: SQL injection via pluck
+  {
+    id: 'SEC-RUBY-007',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'SQL Injection via pluck()',
+    description: 'Passing user input to pluck() can lead to SQL injection.',
+    fix: { suggestion: 'Whitelist column names before passing to pluck.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /\.pluck\s*\(\s*["'].*#\{/,
+      );
+    },
+  },
+
+  // SEC-RUBY-008: SQL injection via having clause
+  {
+    id: 'SEC-RUBY-008',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'SQL Injection via having()',
+    description: 'Using string interpolation in having() allows SQL injection.',
+    fix: { suggestion: 'Use parameterized having: having("count > ?", value).' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /\.having\s*\(\s*["'].*#\{/,
+      );
+    },
+  },
+
+  // SEC-RUBY-009: SQL injection via joins
+  {
+    id: 'SEC-RUBY-009',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'SQL Injection via joins()',
+    description: 'Using string interpolation in joins() allows SQL injection.',
+    fix: { suggestion: 'Use symbol-based joins or sanitize input.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /\.joins\s*\(\s*["'].*#\{/,
+      );
+    },
+  },
+
+  // SEC-RUBY-010: SQL injection via calculate
+  {
+    id: 'SEC-RUBY-010',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'SQL Injection via calculate()',
+    description: 'Passing user-controlled strings to calculate() enables SQL injection.',
+    fix: { suggestion: 'Whitelist allowed aggregate operations and column names.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /\.calculate\s*\(\s*["'].*#\{/,
+      );
+    },
+  },
+
+  // ===========================================================================
+  // XSS (011–015)
+  // ===========================================================================
+
+  // SEC-RUBY-011: XSS via raw() helper
+  {
+    id: 'SEC-RUBY-011',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'XSS via raw() Helper',
+    description: 'Using raw() to render user input bypasses HTML escaping and enables XSS.',
+    fix: { suggestion: 'Use sanitize() or html_escape() instead of raw().' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /\braw\s*\(/,
+      );
+    },
+  },
+
+  // SEC-RUBY-012: XSS via html_safe
+  {
+    id: 'SEC-RUBY-012',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'XSS via html_safe',
+    description: 'Calling html_safe on user-controlled strings disables HTML escaping.',
+    fix: { suggestion: 'Avoid html_safe on user input; use sanitize() instead.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /\.html_safe/,
+      );
+    },
+  },
+
+  // SEC-RUBY-013: XSS via content_tag with unsafe content
+  {
+    id: 'SEC-RUBY-013',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'XSS via content_tag with Interpolation',
+    description: 'Using content_tag with interpolated user input may lead to XSS.',
+    fix: { suggestion: 'Ensure all content passed to content_tag is sanitized.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /content_tag\s*\(.*#\{/,
+      );
+    },
+  },
+
+  // SEC-RUBY-014: XSS via link_to with user-controlled href
+  {
+    id: 'SEC-RUBY-014',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'XSS via link_to with User-Controlled URL',
+    description: 'Using link_to with user-controlled URLs can allow javascript: protocol XSS.',
+    fix: { suggestion: 'Validate URLs against an allowlist of protocols (http, https).' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /link_to\s*.*params\[/,
+      );
+    },
+  },
+
+  // SEC-RUBY-015: XSS via render inline
+  {
+    id: 'SEC-RUBY-015',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'XSS via render inline',
+    description: 'Using render inline with user input allows arbitrary code execution and XSS.',
+    fix: { suggestion: 'Avoid render inline; use templates with proper escaping.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /render\s+inline\s*:/,
+      );
+    },
+  },
+
+  // ===========================================================================
+  // Mass Assignment (016–020)
+  // ===========================================================================
+
+  // SEC-RUBY-016: Mass assignment via permit!
+  {
+    id: 'SEC-RUBY-016',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Mass Assignment via permit!',
+    description: 'Using permit! allows all parameters, bypassing strong parameters protection.',
+    fix: { suggestion: 'Explicitly list allowed parameters with permit(:field1, :field2).' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /\.permit!/,
+      );
+    },
+  },
+
+  // SEC-RUBY-017: Mass assignment via attr_accessible bypass
+  {
+    id: 'SEC-RUBY-017',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Unprotected Mass Assignment with attr_accessible',
+    description: 'Using without_protection: true bypasses attr_accessible whitelisting.',
+    fix: { suggestion: 'Remove without_protection option and properly whitelist attributes.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /without_protection\s*:\s*true/,
+      );
+    },
+  },
+
+  // SEC-RUBY-018: Mass assignment via update_attributes with params
+  {
+    id: 'SEC-RUBY-018',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Mass Assignment via update_attributes with params',
+    description: 'Passing raw params to update_attributes allows mass assignment attacks.',
+    fix: { suggestion: 'Use strong parameters: update_attributes(user_params) with permit.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /update_attributes?\s*\(\s*params/,
+      );
+    },
+  },
+
+  // SEC-RUBY-019: Mass assignment via new/create with raw params
+  {
+    id: 'SEC-RUBY-019',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Mass Assignment via new/create with Raw Params',
+    description: 'Passing raw params hash to new() or create() enables mass assignment.',
+    fix: { suggestion: 'Use strong parameters to whitelist allowed fields.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /\.(?:new|create|create!)\s*\(\s*params\b/,
+      );
+    },
+  },
+
+  // SEC-RUBY-020: Mass assignment via assign_attributes
+  {
+    id: 'SEC-RUBY-020',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Mass Assignment via assign_attributes with Raw Params',
+    description: 'Passing raw params to assign_attributes allows mass assignment.',
+    fix: { suggestion: 'Filter params through strong parameters before assign_attributes.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /assign_attributes\s*\(\s*params/,
+      );
+    },
+  },
+
+  // ===========================================================================
+  // CSRF (021–025)
+  // ===========================================================================
+
+  // SEC-RUBY-021: CSRF protection disabled
+  {
+    id: 'SEC-RUBY-021',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'CSRF Protection Disabled',
+    description: 'skip_before_action :verify_authenticity_token disables CSRF protection.',
+    fix: { suggestion: 'Remove the skip_before_action or scope it to API-only actions with proper auth.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /skip_before_action\s+:verify_authenticity_token/,
+      );
+    },
+  },
+
+  // SEC-RUBY-022: CSRF protect_from_forgery with null_session
+  {
+    id: 'SEC-RUBY-022',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'CSRF Protection with null_session',
+    description: 'protect_from_forgery with: :null_session may weaken CSRF protection.',
+    fix: { suggestion: 'Use protect_from_forgery with: :exception for web apps.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /protect_from_forgery\s+with:\s*:null_session/,
+      );
+    },
+  },
+
+  // SEC-RUBY-023: Missing CSRF protection
+  {
+    id: 'SEC-RUBY-023',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Missing protect_from_forgery in ApplicationController',
+    description: 'ApplicationController without protect_from_forgery is vulnerable to CSRF.',
+    fix: { suggestion: 'Add protect_from_forgery with: :exception to ApplicationController.' },
+    check({ files }) {
+      const findings = [];
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isRuby(path)) {
+          if (/class\s+ApplicationController/.test(content) && /skip_forgery_protection/.test(content)) {
+            findings.push({ ruleId: this.id, file: path, line: 1, title: this.title, severity: this.severity });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-RUBY-024: CSRF token in GET request
+  {
+    id: 'SEC-RUBY-024',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'State-Changing Action via GET Route',
+    description: 'Using GET for state-changing actions exposes CSRF tokens in URLs and logs.',
+    fix: { suggestion: 'Use POST/PUT/PATCH/DELETE for state-changing operations.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /get\s+['"].*(?:delete|destroy|update|create|remove)/,
+      );
+    },
+  },
+
+  // SEC-RUBY-025: CSRF protection disabled globally
+  {
+    id: 'SEC-RUBY-025',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'CSRF Protection Disabled via Configuration',
+    description: 'Setting allow_forgery_protection to false disables CSRF globally.',
+    fix: { suggestion: 'Set config.action_controller.allow_forgery_protection = true.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /allow_forgery_protection\s*=\s*false/,
+      );
+    },
+  },
+
+  // ===========================================================================
+  // Command Injection (026–030)
+  // ===========================================================================
+
+  // SEC-RUBY-026: Command injection via system()
+  {
+    id: 'SEC-RUBY-026',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Command Injection via system()',
+    description: 'Passing user input to system() allows command injection.',
+    fix: { suggestion: 'Use the array form: system("cmd", arg1, arg2) to avoid shell interpretation.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /\bsystem\s*\(\s*["'].*#\{/,
+      );
+    },
+  },
+
+  // SEC-RUBY-027: Command injection via backticks
+  {
+    id: 'SEC-RUBY-027',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Command Injection via Backticks',
+    description: 'Using backticks with interpolation allows command injection.',
+    fix: { suggestion: 'Use Open3.capture3 or system() array form instead of backticks.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /`[^`]*#\{/,
+      );
+    },
+  },
+
+  // SEC-RUBY-028: Command injection via exec()
+  {
+    id: 'SEC-RUBY-028',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Command Injection via exec()',
+    description: 'Passing user input to exec() allows command injection.',
+    fix: { suggestion: 'Use exec with array form: exec("cmd", arg1) to avoid shell interpretation.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /\bexec\s*\(\s*["'].*#\{/,
+      );
+    },
+  },
+
+  // SEC-RUBY-029: Command injection via IO.popen
+  {
+    id: 'SEC-RUBY-029',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Command Injection via IO.popen',
+    description: 'Using IO.popen with string interpolation allows command injection.',
+    fix: { suggestion: 'Use IO.popen with array form: IO.popen(["cmd", arg]).' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /IO\.popen\s*\(\s*["'].*#\{/,
+      );
+    },
+  },
+
+  // SEC-RUBY-030: Command injection via Open3
+  {
+    id: 'SEC-RUBY-030',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Command Injection via Open3 with Interpolation',
+    description: 'Using Open3 methods with string interpolation allows command injection.',
+    fix: { suggestion: 'Use Open3 with array arguments to avoid shell interpretation.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /Open3\.(?:capture3|popen3|popen2)\s*\(\s*["'].*#\{/,
+      );
+    },
+  },
+
+  // ===========================================================================
+  // YAML/Marshal Deserialization (031–035)
+  // ===========================================================================
+
+  // SEC-RUBY-031: Unsafe YAML.load
+  {
+    id: 'SEC-RUBY-031',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Unsafe YAML.load',
+    description: 'YAML.load can deserialize arbitrary Ruby objects, leading to RCE.',
+    fix: { suggestion: 'Use YAML.safe_load instead of YAML.load.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /YAML\.load\s*\(/,
+      );
+    },
+  },
+
+  // SEC-RUBY-032: Marshal.load with untrusted data
+  {
+    id: 'SEC-RUBY-032',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Unsafe Marshal.load',
+    description: 'Marshal.load can execute arbitrary code when deserializing untrusted data.',
+    fix: { suggestion: 'Use JSON or YAML.safe_load instead of Marshal for untrusted data.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /Marshal\.load\s*\(/,
+      );
+    },
+  },
+
+  // SEC-RUBY-033: Marshal.restore with untrusted data
+  {
+    id: 'SEC-RUBY-033',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Unsafe Marshal.restore',
+    description: 'Marshal.restore is an alias for Marshal.load and is equally dangerous.',
+    fix: { suggestion: 'Use JSON or YAML.safe_load instead of Marshal.restore.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /Marshal\.restore\s*\(/,
+      );
+    },
+  },
+
+  // SEC-RUBY-034: YAML.load with permitted_classes bypass
+  {
+    id: 'SEC-RUBY-034',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'YAML.safe_load with Overly Broad permitted_classes',
+    description: 'Allowing too many classes in YAML.safe_load can still be exploitable.',
+    fix: { suggestion: 'Minimize permitted_classes to only those strictly needed.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /YAML\.safe_load\s*\(.*permitted_classes\s*:\s*\[.*Symbol/,
+      );
+    },
+  },
+
+  // SEC-RUBY-035: ERB.new with user input
+  {
+    id: 'SEC-RUBY-035',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Server-Side Template Injection via ERB.new',
+    description: 'Passing user input to ERB.new allows arbitrary code execution.',
+    fix: { suggestion: 'Never pass user input to ERB.new; use pre-defined templates.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /ERB\.new\s*\(.*params/,
+      );
+    },
+  },
+
+  // ===========================================================================
+  // File Access (036–040)
+  // ===========================================================================
+
+  // SEC-RUBY-036: Path traversal via File.read
+  {
+    id: 'SEC-RUBY-036',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Path Traversal via File.read with User Input',
+    description: 'Passing user input to File.read allows reading arbitrary files.',
+    fix: { suggestion: 'Validate and sanitize file paths; use File.expand_path and check prefix.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /File\.read\s*\(.*params/,
+      );
+    },
+  },
+
+  // SEC-RUBY-037: Path traversal via File.open
+  {
+    id: 'SEC-RUBY-037',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Path Traversal via File.open with User Input',
+    description: 'Passing user input to File.open allows reading or writing arbitrary files.',
+    fix: { suggestion: 'Validate file paths against a base directory allowlist.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /File\.open\s*\(.*params/,
+      );
+    },
+  },
+
+  // SEC-RUBY-038: send_file with user input
+  {
+    id: 'SEC-RUBY-038',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Path Traversal via send_file',
+    description: 'Using send_file with user-controlled path allows arbitrary file disclosure.',
+    fix: { suggestion: 'Validate the file path and ensure it stays within the allowed directory.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /send_file\s*\(.*params/,
+      );
+    },
+  },
+
+  // SEC-RUBY-039: Tempfile with predictable name
+  {
+    id: 'SEC-RUBY-039',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Tempfile with Predictable Prefix',
+    description: 'Creating temporary files with predictable names may lead to symlink attacks.',
+    fix: { suggestion: 'Use SecureRandom for temp file names or let Tempfile handle naming.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /File\.(?:write|open)\s*\(\s*["']\/tmp\//,
+      );
+    },
+  },
+
+  // SEC-RUBY-040: File.delete with user input
+  {
+    id: 'SEC-RUBY-040',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Arbitrary File Deletion',
+    description: 'Passing user input to File.delete or FileUtils.rm allows arbitrary file deletion.',
+    fix: { suggestion: 'Validate file paths and restrict to allowed directories.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /(?:File\.delete|FileUtils\.rm)\s*\(.*params/,
+      );
+    },
+  },
+
+  // ===========================================================================
+  // Metaprogramming (041–045)
+  // ===========================================================================
+
+  // SEC-RUBY-041: eval with user input
+  {
+    id: 'SEC-RUBY-041',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Code Injection via eval()',
+    description: 'Using eval with user-controlled input allows arbitrary code execution.',
+    fix: { suggestion: 'Avoid eval entirely; use safe alternatives like case/when dispatching.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /\beval\s*\(\s*["'].*#\{/,
+      );
+    },
+  },
+
+  // SEC-RUBY-042: send with user input
+  {
+    id: 'SEC-RUBY-042',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Unsafe Dynamic Dispatch via send()',
+    description: 'Using send() with user-controlled method names allows calling any method.',
+    fix: { suggestion: 'Whitelist allowed method names before using send().' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /\.send\s*\(\s*params/,
+      );
+    },
+  },
+
+  // SEC-RUBY-043: constantize with user input
+  {
+    id: 'SEC-RUBY-043',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Unsafe constantize with User Input',
+    description: 'Using constantize on user input allows instantiation of arbitrary classes.',
+    fix: { suggestion: 'Whitelist allowed class names before calling constantize.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /params\[.*\]\.constantize/,
+      );
+    },
+  },
+
+  // SEC-RUBY-044: class_eval with user input
+  {
+    id: 'SEC-RUBY-044',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Code Injection via class_eval',
+    description: 'Using class_eval with interpolated strings allows arbitrary code execution.',
+    fix: { suggestion: 'Use define_method or block form of class_eval instead of string eval.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /class_eval\s*\(\s*["'].*#\{/,
+      );
+    },
+  },
+
+  // SEC-RUBY-045: instance_variable_set with user input
+  {
+    id: 'SEC-RUBY-045',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Unsafe instance_variable_set with User Input',
+    description: 'Using instance_variable_set with user-controlled names allows manipulation of internal state.',
+    fix: { suggestion: 'Whitelist allowed variable names before using instance_variable_set.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /instance_variable_set\s*\(.*params/,
+      );
+    },
+  },
+
+  // ===========================================================================
+  // Crypto (046–050)
+  // ===========================================================================
+
+  // SEC-RUBY-046: Use of MD5
+  {
+    id: 'SEC-RUBY-046',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Weak Hash: MD5',
+    description: 'MD5 is cryptographically broken and should not be used for security purposes.',
+    fix: { suggestion: 'Use SHA-256 or SHA-3 via OpenSSL::Digest::SHA256.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /Digest::MD5/,
+      );
+    },
+  },
+
+  // SEC-RUBY-047: Use of SHA1
+  {
+    id: 'SEC-RUBY-047',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Weak Hash: SHA1',
+    description: 'SHA1 is considered weak for cryptographic purposes.',
+    fix: { suggestion: 'Use SHA-256 or SHA-3 instead of SHA1.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /Digest::SHA1/,
+      );
+    },
+  },
+
+  // SEC-RUBY-048: Hardcoded secret key
+  {
+    id: 'SEC-RUBY-048',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Hardcoded Secret Key',
+    description: 'Hardcoded secret_key_base exposes application to session forgery.',
+    fix: { suggestion: 'Use environment variables or credentials file for secret_key_base.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /secret_key_base\s*=\s*["'][a-f0-9]{30,}/,
+      );
+    },
+  },
+
+  // SEC-RUBY-049: Insecure random number generation
+  {
+    id: 'SEC-RUBY-049',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Insecure Random Number Generation',
+    description: 'Using rand() instead of SecureRandom for security-sensitive values.',
+    fix: { suggestion: 'Use SecureRandom.hex or SecureRandom.uuid for tokens and secrets.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /(?:token|secret|key|password|nonce)\s*=\s*rand\b/,
+      );
+    },
+  },
+
+  // SEC-RUBY-050: Weak cipher mode (ECB)
+  {
+    id: 'SEC-RUBY-050',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Weak Cipher Mode: ECB',
+    description: 'ECB mode does not provide semantic security and leaks data patterns.',
+    fix: { suggestion: 'Use AES-256-GCM or AES-256-CBC with HMAC instead of ECB.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /OpenSSL::Cipher.*ECB/,
+      );
+    },
+  },
+
+  // ===========================================================================
+  // Session / Auth (051–055)
+  // ===========================================================================
+
+  // SEC-RUBY-051: Session stored in cookie without encryption
+  {
+    id: 'SEC-RUBY-051',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Unencrypted Cookie Session Store',
+    description: 'Using CookieStore without encryption exposes session data to clients.',
+    fix: { suggestion: 'Use encrypted cookie store or database-backed sessions.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /session_store\s*:cookie_store/,
+      );
+    },
+  },
+
+  // SEC-RUBY-052: Devise with insecure configuration
+  {
+    id: 'SEC-RUBY-052',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Devise Insecure stretches Configuration',
+    description: 'Setting Devise stretches too low weakens password hashing.',
+    fix: { suggestion: 'Set config.stretches to at least 12 in production.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /config\.stretches\s*=\s*[0-9]\b/,
+      );
+    },
+  },
+
+  // SEC-RUBY-053: Authentication bypass via skip_before_action
+  {
+    id: 'SEC-RUBY-053',
+    category: 'security',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'Authentication Bypass via skip_before_action',
+    description: 'Skipping authenticate_user! may expose actions to unauthenticated users.',
+    fix: { suggestion: 'Carefully scope skip_before_action and verify authorization separately.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /skip_before_action\s+:authenticate/,
+      );
+    },
+  },
+
+  // SEC-RUBY-054: Insecure password comparison
+  {
+    id: 'SEC-RUBY-054',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure Password Comparison',
+    description: 'Using == to compare passwords is vulnerable to timing attacks.',
+    fix: { suggestion: 'Use ActiveSupport::SecurityUtils.secure_compare or bcrypt.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /password\s*==\s*/,
+      );
+    },
+  },
+
+  // SEC-RUBY-055: Hardcoded password in source
+  {
+    id: 'SEC-RUBY-055',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Hardcoded Password',
+    description: 'Hardcoded passwords in source code can be extracted by attackers.',
+    fix: { suggestion: 'Use environment variables or a secrets manager for passwords.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /(?:password|passwd)\s*=\s*["'][^"']{4,}["']/,
+      );
+    },
+  },
+
+  // ===========================================================================
+  // ERB / Slim Templates (056–060)
+  // ===========================================================================
+
+  // SEC-RUBY-056: Unescaped ERB output
+  {
+    id: 'SEC-RUBY-056',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Unescaped ERB Output Tag',
+    description: 'Using <%== or raw in ERB templates outputs unescaped HTML, enabling XSS.',
+    fix: { suggestion: 'Use <%= which auto-escapes output, or sanitize() for HTML content.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /<%==\s/,
+      );
+    },
+  },
+
+  // SEC-RUBY-057: ERB template with direct params access
+  {
+    id: 'SEC-RUBY-057',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Direct params Access in Template',
+    description: 'Accessing params directly in templates bypasses controller-level sanitization.',
+    fix: { suggestion: 'Pass sanitized data from the controller via instance variables.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /<%=.*params\[/,
+      );
+    },
+  },
+
+  // SEC-RUBY-058: Slim template with unescaped output
+  {
+    id: 'SEC-RUBY-058',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Unescaped Slim Output',
+    description: 'Using == in Slim templates outputs unescaped HTML, enabling XSS.',
+    fix: { suggestion: 'Use = for escaped output in Slim templates.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /^\s*==\s+.*params/,
+      );
+    },
+  },
+
+  // SEC-RUBY-059: render with user-controlled template
+  {
+    id: 'SEC-RUBY-059',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Template Injection via render with User Input',
+    description: 'Passing user input to render() template name allows arbitrary template rendering.',
+    fix: { suggestion: 'Whitelist allowed template names; never pass params directly to render.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /render\s+params\[/,
+      );
+    },
+  },
+
+  // SEC-RUBY-060: Haml unescaped output
+  {
+    id: 'SEC-RUBY-060',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Unescaped Haml Output',
+    description: 'Using != in Haml templates outputs unescaped HTML, enabling XSS.',
+    fix: { suggestion: 'Use = for auto-escaped output in Haml templates.' },
+    check({ files }) {
+      return checkRuby(this, files,
+        /!=\s+.*params/,
+      );
+    },
+  },
+];
+
+export default rules;