GitLab Advanced SAST rules: Ruby
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Rules used by GitLab Advanced SAST to detect vulnerabilities in Ruby code.
| Rule ID | Rule description | CWE | OWASP Top 10 |
|---|---|---|---|
ruby-digest-crypto-md5-usage-atomic | Use of weak hash | CWE-328 | A3:2017, A02:2021 |
ruby-lang-cmdi-exec-taint | Improper control of generation of code (‘Code Injection’) | CWE-94 | A1:2017, A03:2021 |
ruby-lang-codei-badsend-taint | Improper control of generation of code (‘Code Injection’) | CWE-94 | A1:2017, A03:2021 |
ruby-lang-crypto-rule-insufficient_rsa_key_size-atomic | Inadequate encryption strength | CWE-326 | A3:2017, A02:2021 |
ruby-lang-crypto-sha1_usage-atomic | Use of weak hash | CWE-328 | A3:2017, A02:2021 |
ruby-lang-crypto-ssl-mode-noverify-atomic | Improper certificate validation | CWE-295 | A3:2017, A07:2021 |
ruby-lang-deserialization-taint | Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 |
ruby-lang-deserialization-yaml-taint | Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 |
ruby-lang-pathtraversal-render-functions-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 |
ruby-lang-xss-avoid-linkto-taint | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A7:2017, A03:2021 |
ruby-nethttp-ssrf-taint | Server side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 |
ruby-rails-accesscontrol-checkbeforefilter-atomic | Exposed dangerous method or function | CWE-749 | A5:2017, A01:2021 |
ruby-rails-accesscontrol-defaultroutes-atomic | Incorrect Default Permissions | CWE-276 | A5:2017, A01:2021 |
ruby-rails-accesscontrol-massassignment-modelattraccessible-atomic | Improperly controlled modification of dynamically-determined object attributes | CWE-915 | A5:2017, A08:2021 |
ruby-rails-accesscontrol-session-manipulation-taint | Authorization bypass through user-controlled key | CWE-639 | A5:2017, A01:2021 |
ruby-rails-accesscontrol-unprotected-mass-assign-taint | Improperly controlled modification of dynamically-determined object attributes | CWE-915 | A5:2017, A08:2021 |
ruby-rails-accesscontrol-unscoped-find-taint | Authorization bypass through user-controlled key | CWE-639 | A5:2017, A01:2021 |
ruby-rails-cmdi-avaoid-ftp-call-taint | Improper neutralization of equivalent special elements | CWE-76 | A1:2017, A03:2021 |
ruby-rails-cmdi-os-shell-commands-taint | Improper neutralization of special elements used in an OS command (‘OS Command Injection’) | CWE-78 | A1:2017, A03:2021 |
ruby-rails-codei-noeval-taint | Improper neutralization of directives in dynamically evaluated code (‘Eval Injection’) | CWE-95 | A1:2017, A03:2021 |
ruby-rails-codei-unsafe-reflection-methods-taint | Improper control of generation of code (‘Code Injection’) | CWE-94 | A1:2017, A03:2021 |
ruby-rails-codei-unsafe-reflection-taint | Improper control of generation of code (‘Code Injection’) | CWE-94 | A1:2017, A03:2021 |
ruby-rails-csrf-no-protection-atomic | Cross-site request forgery (CSRF) | CWE-352 | A5:2017, A01:2021 |
ruby-rails-deserialization-cookieserialization-atomic | Improper control of generation of code (‘Code Injection’) | CWE-94 | A1:2017, A03:2021 |
ruby-rails-dos-regexdos-taint | Inefficient regular expression complexity | CWE-1333 | A6:2017, A04:2021 |
ruby-rails-misconfiguration-checkhttpverbconfusion-atomic | Improper check for unusual or exceptional conditions | CWE-754 | A6:2017, A04:2021 |
ruby-rails-misconfiguration-cookie-security-flags-atomic | Sensitive cookie without ‘HttpOnly’ flag | CWE-1004 | A6:2017, A05:2021 |
ruby-rails-misconfiguration-detailed-exception-atomic | Generation of error message containing sensitive information | CWE-209 | A3:2017, A05:2021 |
ruby-rails-misconfiguration-dividebyzero-atomic | Divide a number by zero | CWE-369 | A6:2017, A04:2021 |
ruby-rails-misconfiguration-force-SSL-false-atomic | Missing encryption of sensitive data | CWE-311 | A6:2017, A05:2021 |
ruby-rails-openredirect-checkredirect-to-taint | URL redirection to untrusted site ‘open redirect’ | CWE-601 | A1:2017, A03:2021 |
ruby-rails-pathtraversal-checksendfile-taint | External control of file name or path | CWE-73 | A5:2017, A01:2021 |
ruby-rails-pathtraversal-taintedfileaccess-taint | Improper limitation of a pathname to a restricted directory (‘Path Traversal’) | CWE-22 | A5:2017, A01:2021 |
ruby-rails-sqli-taint | Improper neutralization of special elements used in a SQL command (‘SQL Injection’) | CWE-89 | A1:2017, A03:2021 |
ruby-rails-xss-avoidrendertext-taint | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A7:2017, A03:2021 |
ruby-rails-xss-jsonentityescape-atomic | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A7:2017, A03:2021 |
ruby-rails-xss-manualtemplatecreation-taint | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A7:2017, A03:2021 |
ruby-rails-xss-render-inline-taint | Improper neutralization of input during web page generation (‘Cross-site Scripting’) | CWE-79 | A7:2017, A03:2021 |