zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-05-15 21:33:04 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
0d8f4c64b807248091c207167b3ab375b9e3ea54
everything-claude-code/rules/ruby/security.md
Affaan Mustafa 375d750b4c fix: integrate recent hook and docs PRs (#1905) 
Integrates useful changes from #1882, #1884, #1889, #1893, #1898, #1899, and #1903:
- fix rule install docs to preserve language directories
- correct Ruby security command examples
- harden dev-server hook command-substitution parsing
- add Prisma patterns skill and catalog/package surfaces
- allow first-time protected config creation while blocking existing configs
- read cost metrics from Stop hook transcripts
- emit suggest-compact additionalContext on stdout

Co-authored-by: Jamkris <dltmdgus1412@gmail.com>
Co-authored-by: Levi-Evan <levishantz@gmail.com>
Co-authored-by: gaurav0107 <gauravdubey0107@gmail.com>
Co-authored-by: richm-spp <richard.millar@salarypackagingplus.com.au>
Co-authored-by: zomia <zomians@outlook.jp>
Co-authored-by: donghyeun02 <donghyeun02@gmail.com>
2026-05-14 21:37:28 -04:00

1.9 KiB
Raw Blame History

paths
paths
**/*.rb
**/*.rake
**/Gemfile
**/Gemfile.lock
**/config/routes.rb
**/config/credentials*.yml.enc

Ruby Security

This file extends common/security.md with Ruby and Rails specific content.

Rails Defaults

  • Keep CSRF protection enabled for state-changing browser requests.
  • Use strong parameters or typed boundary objects before mass assignment.
  • Store secrets in Rails credentials, environment variables, or a secret manager. Never commit plaintext keys, tokens, private credentials, or copied .env values.

SQL And Active Record

  • Prefer Active Record query APIs and parameterized SQL.
  • Never interpolate request, cookie, header, job, or webhook values into SQL strings.
  • Scope model callbacks carefully; security-sensitive side effects should be explicit and covered by tests.

Authentication And Sessions

  • Use the Rails 8 authentication generator for simple session auth, or Devise when OAuth, MFA, confirmable, lockable, multi-model auth, or existing Devise conventions are required.
  • Rotate sessions after sign-in and privilege changes.
  • Protect account recovery flows with expiry, single-use tokens, rate limiting, and audit logging.

Dependencies

  • Run dependency checks when the lockfile changes:
bundle exec bundle-audit check --update
bundle exec brakeman --no-progress
  • Review new gems for maintainer activity, native extension risk, transitive dependencies, and whether the same behavior can be implemented with Rails core.

Web Safety

  • Escape template output by default. Treat html_safe, raw, and custom sanitizers as security-sensitive code.
  • Validate file uploads by content type, extension, size, and storage destination.
  • Treat background jobs, webhooks, Action Cable messages, and Turbo Stream inputs as untrusted boundaries.

Reference

See skill: security-review for secure-by-default review patterns.

Reference in New Issue View Git Blame Copy Permalink