class RailsSecurityTagger

Overview

Rails-specific security tagger.

ruby_auth already classifies authentication (Devise/Pundit/CanCanCan/…), so this tagger covers the other Rails controller-level security signals that map cleanly onto an action and are deviations from the framework default — i.e. worth a reviewer's attention rather than ambient noise:

Like ruby_auth, detection is single-file and line-based: it walks the controller the action lives in. Cross-file concerns (a null_session base controller inherited by children, a Rack::Attack initializer) are out of scope by design — those live outside the action's own file.

Defined in:

tagger/framework_taggers/ruby/rails_security.cr

Constant Summary

CSRF_DISABLE_PATTERNS = [{/skip_before_action\s+:verify_authenticity_token/, "verify_authenticity_token skipped"}, {/skip_forgery_protection/, "skip_forgery_protection"}]

Class-level macros that turn CSRF verification OFF for (some) actions.

CSRF_NULL_SESSION_PATTERN = /protect_from_forgery\s+.*with:\s*:null_session/

protect_from_forgery with: :null_session keeps the filter but lets a forged request through with a blank session instead of rejecting it — the usual choice for token/API controllers, and worth flagging because cookie-session callers lose CSRF rejection.

MASS_ASSIGN_BANG_PATTERNS = [{/params\.permit!/, "params.permit!"}, {/params\.to_unsafe_h(?:ash)?\b/, "params.to_unsafe_h"}]

Strong-Parameters escape hatches in an action body.

MASS_ASSIGN_WRITER_PATTERN = /\.(?:new|create|create!|update|update!|update_attributes|update_attributes!|assign_attributes)\s*\(\s*params\[/

A raw params[:x] hash passed straight into a model writer (no intervening .permit). find/where take a scalar id, so they are deliberately excluded — only attribute-setting writers are risky.

RATE_LIMIT_PATTERN = /\brate_limit\s+(?:to|within|by|with|store|name|only|except):/

Rails 8 rate_limit to: N, within: T[, only:/except:] declared like a before_action at class scope.

Constructors

Class Method Summary

Instance Method Summary

Instance methods inherited from class FrameworkTagger

collect_files_by_extension(extension : String) : Array(String) collect_files_by_extension, read_file(path : String) : String | Nil read_file, read_source_context(endpoint : Endpoint) : Array(SourceContext) read_source_context, static_asset_route?(url : String) : Bool static_asset_route?

Constructor methods inherited from class FrameworkTagger

new(options : Hash(String, YAML::Any)) new

Class methods inherited from class FrameworkTagger

target_techs : Array(String) target_techs

Instance methods inherited from module FileHelper

all_files : Array(String) all_files, get_files_by_extension(extension : String) : Array(String) get_files_by_extension, get_files_by_prefix(prefix : String) : Array(String) get_files_by_prefix, get_files_by_prefix_and_extension(prefix : String, extension : String) : Array(String) get_files_by_prefix_and_extension, get_public_dir_files(base_path : String, folder : String) : Array(String) get_public_dir_files, get_public_files(base_path : String, anchors : Array(String) = ["shard.yml", "Gemfile"]) : Array(String) get_public_files

Instance methods inherited from class Tagger

name : String name, perform(endpoints : Array(Endpoint)) : Array(Endpoint) perform

Constructor methods inherited from class Tagger

new(options : Hash(String, YAML::Any)) new

Constructor Detail

def self.new(options : Hash(String, YAML::Any)) #

[View source]

Class Method Detail

def self.target_techs : Array(String) #

[View source]

Instance Method Detail

def perform(endpoints : Array(Endpoint)) : Array(Endpoint) #

[View source]