"GitLab Advanced SAST rules: Ruby"
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Rules used by GitLab Advanced SAST to detect vulnerabilities in Ruby code.
| Rule ID | Rule description | CWE | OWASP Top 10 |
|---|---|---|---|
ruby-digest-crypto-md5-usage-atomic |
Use of weak hash | CWE-328 | A3:2017, A02:2021 |
ruby-lang-cmdi-exec-taint |
Improper control of generation of code ('Code Injection') | CWE-94 | A1:2017, A03:2021 |
ruby-lang-codei-badsend-taint |
Improper control of generation of code ('Code Injection') | CWE-94 | A1:2017, A03:2021 |
ruby-lang-crypto-rule-insufficient_rsa_key_size-atomic |
Inadequate encryption strength | CWE-326 | A3:2017, A02:2021 |
ruby-lang-crypto-sha1_usage-atomic |
Use of weak hash | CWE-328 | A3:2017, A02:2021 |
ruby-lang-crypto-ssl-mode-noverify-atomic |
Improper certificate validation | CWE-295 | A3:2017, A07:2021 |
ruby-lang-deserialization-taint |
Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 |
ruby-lang-deserialization-yaml-taint |
Deserialization of untrusted data | CWE-502 | A8:2017, A08:2021 |
ruby-lang-pathtraversal-render-functions-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 |
ruby-lang-xss-avoid-linkto-taint |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A7:2017, A03:2021 |
ruby-nethttp-ssrf-taint |
Server side request forgery (SSRF) | CWE-918 | A1:2017, A10:2021 |
ruby-rails-accesscontrol-checkbeforefilter-atomic |
Exposed dangerous method or function | CWE-749 | A5:2017, A01:2021 |
ruby-rails-accesscontrol-defaultroutes-atomic |
Incorrect Default Permissions | CWE-276 | A5:2017, A01:2021 |
ruby-rails-accesscontrol-massassignment-modelattraccessible-atomic |
Improperly controlled modification of dynamically-determined object attributes | CWE-915 | A5:2017, A08:2021 |
ruby-rails-accesscontrol-session-manipulation-taint |
Authorization bypass through user-controlled key | CWE-639 | A5:2017, A01:2021 |
ruby-rails-accesscontrol-unprotected-mass-assign-taint |
Improperly controlled modification of dynamically-determined object attributes | CWE-915 | A5:2017, A08:2021 |
ruby-rails-accesscontrol-unscoped-find-taint |
Authorization bypass through user-controlled key | CWE-639 | A5:2017, A01:2021 |
ruby-rails-cmdi-avaoid-ftp-call-taint |
Improper neutralization of equivalent special elements | CWE-76 | A1:2017, A03:2021 |
ruby-rails-cmdi-os-shell-commands-taint |
Improper neutralization of special elements used in an OS command ('OS Command Injection') | CWE-78 | A1:2017, A03:2021 |
ruby-rails-codei-noeval-taint |
Improper neutralization of directives in dynamically evaluated code ('Eval Injection') | CWE-95 | A1:2017, A03:2021 |
ruby-rails-codei-unsafe-reflection-methods-taint |
Improper control of generation of code ('Code Injection') | CWE-94 | A1:2017, A03:2021 |
ruby-rails-codei-unsafe-reflection-taint |
Improper control of generation of code ('Code Injection') | CWE-94 | A1:2017, A03:2021 |
ruby-rails-csrf-no-protection-atomic |
Cross-site request forgery (CSRF) | CWE-352 | A5:2017, A01:2021 |
ruby-rails-deserialization-cookieserialization-atomic |
Improper control of generation of code ('Code Injection') | CWE-94 | A1:2017, A03:2021 |
ruby-rails-dos-regexdos-taint |
Inefficient regular expression complexity | CWE-1333 | A6:2017, A04:2021 |
ruby-rails-misconfiguration-checkhttpverbconfusion-atomic |
Improper check for unusual or exceptional conditions | CWE-754 | A6:2017, A04:2021 |
ruby-rails-misconfiguration-cookie-security-flags-atomic |
Sensitive cookie without 'HttpOnly' flag | CWE-1004 | A6:2017, A05:2021 |
ruby-rails-misconfiguration-detailed-exception-atomic |
Generation of error message containing sensitive information | CWE-209 | A3:2017, A05:2021 |
ruby-rails-misconfiguration-dividebyzero-atomic |
Divide a number by zero | CWE-369 | A6:2017, A04:2021 |
ruby-rails-misconfiguration-force-SSL-false-atomic |
Missing encryption of sensitive data | CWE-311 | A6:2017, A05:2021 |
ruby-rails-openredirect-checkredirect-to-taint |
URL redirection to untrusted site 'open redirect' | CWE-601 | A1:2017, A03:2021 |
ruby-rails-pathtraversal-checksendfile-taint |
External control of file name or path | CWE-73 | A5:2017, A01:2021 |
ruby-rails-pathtraversal-taintedfileaccess-taint |
Improper limitation of a pathname to a restricted directory ('Path Traversal') | CWE-22 | A5:2017, A01:2021 |
ruby-rails-sqli-taint |
Improper neutralization of special elements used in a SQL command ('SQL Injection') | CWE-89 | A1:2017, A03:2021 |
ruby-rails-xss-avoidrendertext-taint |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A7:2017, A03:2021 |
ruby-rails-xss-jsonentityescape-atomic |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A7:2017, A03:2021 |
ruby-rails-xss-manualtemplatecreation-taint |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A7:2017, A03:2021 |
ruby-rails-xss-render-inline-taint |
Improper neutralization of input during web page generation ('Cross-site Scripting') | CWE-79 | A7:2017, A03:2021 |