← ClaudeAtlas

rails-securitylisted

Security audit for Ruby on Rails applications including strong parameters / mass assignment, ActiveRecord SQL injection, ERB template safety, CSRF protection_from_forgery, Devise authentication, CanCanCan/Pundit authorization, secret_key_base, credentials.yml.enc, and Rails-specific patterns. Use this skill whenever the user mentions Ruby on Rails, Rails 6/7/8, ActiveRecord, ActiveAdmin, Devise, Pundit, CanCanCan, strong_parameters, ERB, Brakeman, or asks "audit my Rails app", "Rails security review", "Brakeman". Trigger when the codebase contains `Gemfile`, `config/application.rb`, or `rails` in dependencies.
hlsitechio/claude-skills-security · ★ 1 · AI & Automation · score 65
Install: claude install-skill hlsitechio/claude-skills-security
# Ruby on Rails Security Audit Audit Rails applications (Rails 6, 7, 8). ## When this skill applies - Reviewing controllers, models, views - Auditing strong parameters / mass assignment - Reviewing ActiveRecord queries for injection - Checking Devise / Pundit / CanCanCan setup - Auditing secrets and credential management ## Workflow Follow `../_shared/audit-workflow.md`. ### Phase 1: Stack detection ```bash grep -E "rails" Gemfile | head bundle exec rails --version 2>/dev/null ``` ### Phase 2: Inventory ```bash # Controllers find app/controllers -name '*.rb' | head # Models find app/models -name '*.rb' | head # Routes cat config/routes.rb 2>/dev/null | head -100 # Initializers (security-relevant) ls config/initializers/ # Brakeman recommended which brakeman 2>/dev/null || echo "Install: gem install brakeman" ``` ### Phase 3: Detection — the checks #### Strong parameters - **RLS-SP-1** Every controller action accepting params for create/update uses a `permit` allowlist: ```ruby def user_params params.require(:user).permit(:email, :name) # role, admin flags explicitly NOT in permit end ``` - **RLS-SP-2** No `params.permit!` (allows everything — equivalent to no protection). - **RLS-SP-3** Nested attributes use `permit(:foo, addresses_attributes: [:street, :city])` not `permit!`. #### SQL injection (ActiveRecord) - **RLS-SQL-1** `where("name = '#{params[:name]}'")` is injection. Use placeholders: ```ruby User.where("name = ?", params[:name])