Ruby Rules

SAST rules for Ruby that identify insecure patterns in application code.

Ruby Rule Catalog

ID	Title	Severity	Category
CODE-0274	Faraday HTTP Request Disables SSL/TLS Verification	CRITICAL	InsecureConfig
CODE-0499	Unsafe YAML Deserialization	CRITICAL	Deserialization
CODE-0524	Deserialization of untrusted data	CRITICAL	Deserialization
CODE-0525	Deserialization of untrusted data	CRITICAL	Deserialization
CODE-0526	Unsafe Deserialization from YAML	CRITICAL	Deserialization
CODE-0529	Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')	CRITICAL	Injection
CODE-0539	OS Command Injection	CRITICAL	Injection
CODE-0540	Improper control of generation of code ('Code Injection')	CRITICAL	Injection
CODE-0541	OS Command Injection	CRITICAL	Injection
CODE-0545	Improper control of generation of code ('Code Injection')	CRITICAL	Injection
CODE-0546	Improper control of generation of code ('Code Injection')	CRITICAL	Injection
CODE-0550	Avoid Session Manipulation	CRITICAL	AccessControl
CODE-0551	SQL Injection	CRITICAL	Injection
CODE-0763	Hardcoded ActiveRecord Encryption Key	CRITICAL	Secrets
CODE-0807	Disabling SSL/TLS Verification in RestClient	CRITICAL	InsecureConfig
CODE-0001	Insecure TLS Setting in ActionMailer SMTP Configuration	HIGH	InsecureConfig
CODE-0241	ActiveRecord Encryption Misorder	HIGH	Crypto
CODE-0434	Insecure Rails Cache Store Configuration	HIGH	Deserialization
CODE-0437	SAML Response Validation Disabled	HIGH	Auth
CODE-0519	Insecure Cookie Serialization	HIGH	Deserialization
CODE-0635	Insecure use of Rails parameters with _json	HIGH	Injection
CODE-0639	Insecure SSL Setting in Rails Application	HIGH	InsecureConfig
CODE-0798	Custom JSON Deserialization	HIGH	Deserialization
CODE-0003	Insecure use of global timeout	MEDIUM	Generic
CODE-0226	Insecure Rails Cookie Session Store	MEDIUM	Web
CODE-0520	Inadequate RSA Key Size	MEDIUM	Crypto
CODE-0521	Use of weak hash	MEDIUM	Crypto
CODE-0522	Use of weak hash	MEDIUM	Crypto
CODE-0523	Cross-site request forgery (CSRF) protection missing	MEDIUM	Web
CODE-0528	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	MEDIUM	Web
CODE-0530	Detailed Exceptions Enabled	MEDIUM	InsecureConfig
CODE-0531	Path Traversal Vulnerability	MEDIUM	AccessControl
CODE-0532	Path Traversal in Render Function	MEDIUM	AccessControl
CODE-0533	External control of file name or path	MEDIUM	Injection
CODE-0534	Insecure use of skip_filter or skip_before_filter	MEDIUM	AccessControl
CODE-0535	Unscoped Find Method Call with User-Controlled Input	MEDIUM	AccessControl
CODE-0536	Avoid Tainted FTP Call	MEDIUM	Injection
CODE-0537	Server Side Request Forgery (SSRF) via Unvalidated User Input in Net::HTTP Methods	MEDIUM	Injection
CODE-0538	Improper HTTP Verb Confusion Check	MEDIUM	Web
CODE-0542	Mass Assignment Vulnerability	MEDIUM	Injection
CODE-0543	Unprotected Mass Assignment	MEDIUM	Injection
CODE-0547	Inefficient Regular Expression Complexity	MEDIUM	Injection
CODE-0548	Incorrect Regular Expression	MEDIUM	Injection
CODE-0549	Incorrect Default Permissions	MEDIUM	AccessControl
CODE-0552	Cleartext transmission of sensitive information	MEDIUM	InsecureConfig
CODE-0553	Improper Certificate Validation	MEDIUM	Crypto
CODE-0554	Cross-site Scripting (XSS) in link_to	MEDIUM	Injection
CODE-0555	Avoid render inline to prevent cross-site scripting (XSS)	MEDIUM	Web
CODE-0556	Avoid render text to prevent XSS	MEDIUM	Injection
CODE-0557	Manual Creation of ERB Templates	MEDIUM	Web
CODE-0770	Insecure Rails Cookie Attributes	MEDIUM	Web
CODE-0518	Sensitive cookie without 'HttpOnly' and 'Secure' flags	LOW	Web
CODE-0527	Division by Zero	LOW	Injection
CODE-0544	URL Redirection to Untrusted Site 'Open Redirect'	LOW	Web

---

Total Rules: 54

Click on any rule ID to view detailed information, examples, and remediation guidance.