ruby_on_rail_baseline.yaml

# ==========================================================
# Semgrep Ruleset for Ruby and Ruby Frameworks Security
# Created by: Conviso
# Description: This ruleset is designed to detect common
#              vulnerabilities in Ruby applications, including Rails,
#              Sinatra, Hanami, and Padrino, covering SQL Injection,
#              Mass Assignment, Command Injection, and Path Traversal.
# ==========================================================

rules:
  - id: detect-sql-injection-rails
    languages: [ruby]
    message: |
      Possible SQL Injection vulnerability in Rails ActiveRecord query. Avoid using unsanitized user input.
    severity: ERROR
    patterns:
      - pattern: |
          User.where("name = '#{params[:name]}'")
    fix: |
      Use parameterized queries with ActiveRecord to avoid SQL Injection. Example:
      
      ```ruby
      User.where("name = ?", params[:name])
      ```
    metadata:
      cwe: CWE-89
      owasp: A1 Injection

  - id: detect-sql-injection-sinatra
    languages: [ruby]
    message: |
      Possible SQL Injection vulnerability in Sinatra database query. Avoid using unsanitized user input.
    severity: ERROR
    patterns:
      - pattern: |
          DB.execute("SELECT * FROM users WHERE name = '" + params[:name] + "'")
    fix: |
      Use parameterized queries to avoid SQL Injection in Sinatra. Example:
      
      ```ruby
      DB.execute("SELECT * FROM users WHERE name = ?", [params[:name]])
      ```
    metadata:
      cwe: CWE-89
      owasp: A1 Injection

  - id: detect-sql-injection-hanami
    languages: [ruby]
    message: |
      Possible SQL Injection vulnerability in Hanami query. Avoid using unsanitized user input.
    severity: ERROR
    patterns:
      - pattern: |
          repo.where("name = '#{params[:name]}'")
    fix: |
      Use parameterized queries in Hanami to prevent SQL Injection. Example:
      
      ```ruby
      repo.where(name: params[:name])
      ```
    metadata:
      cwe: CWE-89
      owasp: A1 Injection

  - id: detect-sql-injection-padrino
    languages: [ruby]
    message: |
      Possible SQL Injection vulnerability in Padrino ActiveRecord query. Avoid using unsanitized user input.
    severity: ERROR
    patterns:
      - pattern: |
          User.where("name = '#{params[:name]}'")
    fix: |
      Use parameterized queries with ActiveRecord in Padrino. Example:
      
      ```ruby
      User.where("name = ?", params[:name])
      ```
    metadata:
      cwe: CWE-89
      owasp: A1 Injection

  - id: detect-mass-assignment-rails
    languages: [ruby]
    message: |
      Possible Mass Assignment vulnerability. Avoid using unsanitized user input in `new` or `update`.
    severity: ERROR
    patterns:
      - pattern: |
          User.new(params[:user])
      - pattern: |
          @user.update(params[:user])
    fix: |
      Use strong parameters to whitelist allowed attributes. Example:
      
      ```ruby
      params.require(:user).permit(:name, :email)
      ```
    metadata:
      cwe: CWE-915
      owasp: A4 Insecure Design

  - id: detect-command-injection-ruby
    languages: [ruby]
    message: |
      Possible Command Injection vulnerability. Avoid using unsanitized user input in system commands.
    severity: ERROR
    patterns:
      - pattern: |
          `#{params[:command]}`
      - pattern: |
          system(params[:command])
    fix: |
      Use `system()` or backticks with sanitized inputs to avoid Command Injection. Example:
      
      ```ruby
      system("safe_command", params[:command])
      ```
    metadata:
      cwe: CWE-78
      owasp: A1 Injection

  - id: detect-path-traversal-ruby
    languages: [ruby]
    message: |
      Possible Path Traversal vulnerability. Avoid using unsanitized user input in file paths.
    severity: ERROR
    patterns:
      - pattern: |
          File.read(params[:file_path])
      - pattern: |
          File.open(params[:file_path])
    fix: |
      Use `File.expand_path` or validate input paths to avoid Path Traversal. Example:
      
      ```ruby
      safe_path = File.expand_path(params[:file_path])
      File.read(safe_path)
      ```
    metadata:
      cwe: CWE-22
      owasp: A5 Broken Access Control

  - id: detect-insecure-deserialization-ruby
    languages: [ruby]
    message: |
      Possible Insecure Deserialization vulnerability. Avoid deserializing untrusted user input.
    severity: ERROR
    patterns:
      - pattern: |
          Marshal.load(params[:data])
    fix: |
      Avoid using `Marshal.load()` with untrusted data or use safer alternatives like JSON. Example:
      
      ```ruby
      data = JSON.parse(params[:data])
      ```
    metadata:
      cwe: CWE-502
      owasp: A8 Insecure Deserialization

  - id: detect-sensitive-data-exposure-ruby
    languages: [ruby]
    message: |
      Sensitive data exposure. Avoid logging sensitive information such as passwords or credit card numbers.
    severity: WARNING
    patterns:
      - pattern: |
          logger.debug(params[:password])
      - pattern: |
          puts params[:credit_card]
    fix: |
      Mask sensitive data before logging or output. Example:
      
      ```ruby
      logger.debug(mask_sensitive_data(params[:password]))
      ```
    metadata:
      cwe: CWE-200
      owasp: A3 Sensitive Data Exposure