Ruby
This page curates a list of example ast-grep rules to check and to rewrite Ruby applications.
Migrate action_filter in Ruby on Rails Has Fix
Description
This rule is used to migrate {before,after,around}_filter to {before,after,around}_action in Ruby on Rails controllers.
These are methods that run before, after or around an action is executed, and they can be used to check permissions, set variables, redirect requests, log events, etc. However, these methods are deprecated in Rails 5.0 and will be removed in Rails 5.1. {before,after,around}_action are the new syntax for the same functionality.
This rule will replace all occurrences of {before,after,around}_filter with {before,after,around}_action in the controller code.
YAML
id: migration-action-filter
language: ruby
rule:
any:
- pattern: before_filter $$$ACTION
- pattern: around_filter $$$ACTION
- pattern: after_filter $$$ACTION
has:
pattern: $FILTER
field: method
fix:
$NEW_ACTION $$$ACTION
transform:
NEW_ACTION:
replace:
source: $FILTER
replace: _filter
by: _actionExample
class TodosController < ApplicationController
before_filter :authenticate
around_filter :wrap_in_transaction, only: :show
after_filter do |controller|
flash[:error] = "You must be logged in"
end
def index
@todos = Todo.all
end
endDiff
class TodosController < ApplicationController
before_action :authenticate
before_filter :authenticate
around_action :wrap_in_transaction, only: :show
around_filter :wrap_in_transaction, only: :show
after_action do |controller|
flash[:error] = "You must be logged in"
end
after_filter do |controller|
flash[:error] = "You must be logged in"
end
def index
@todos = Todo.all
end
endContributed by
Herrington Darkholme, inspired by Future of Ruby - AST Tooling.
Prefer Symbol over Proc Has Fix
Description
Ruby has a more concise symbol shorthand &: to invoke methods. This rule simplifies proc to symbol. This example is inspired by this dev.to article.
YAML
id: prefer-symbol-over-proc
language: ruby
rule:
pattern: $LIST.$ITER { |$V| $V.$METHOD }
constraints:
ITER:
regex: 'map|select|each'
fix: '$LIST.$ITER(&:$METHOD)'Example
[1, 2, 3].select { |v| v.even? }
(1..100).each { |i| i.to_s }
not_list.no_match { |v| v.even? }Diff
[1, 2, 3].select { |v| v.even? }
[1, 2, 3].select(&:even?)
(1..100).each { |i| i.to_s }
(1..100).each(&:to_s)
not_list.no_match { |v| v.even? }Contributed by
Detect Path Traversal Vulnerability in Rails
Description
Path Traversal (Directory Traversal) occurs when user input is used to construct file paths without proper validation. This allows attackers to access files outside the intended directory by using special characters like ../ to navigate the filesystem.
This rule detects common path traversal patterns in Rails applications where user-controlled variables are used in:
Rails.root.join()- Building file paths relative to the Rails application rootFile.join()- Constructing file pathssend_file- Sending files to users
To prevent path traversal vulnerabilities, always validate and sanitize file paths, use File.basename() to extract only the filename, or use allowlists for permitted files.
YAML
id: path-traversal
message: Potential Path Traversal vulnerability detected. User input is being used to construct file paths without validation.
severity: hint
language: Ruby
note: |
Path Traversal (Directory Traversal) occurs when user input is used to construct file paths
without proper validation. This allows attackers to access files outside the intended directory.
Validate and sanitize file paths, and use File.basename() or similar functions.
rule:
any:
- pattern: Rails.root.join($$$, $VAR, $$$)
- pattern: File.join($$$, $VAR, $$$)
- pattern: send_file $VARExample
# Pattern 1: Rails.root.join with variable
Rails.root.join('uploads', params[:filename])
Rails.root.join('data', user_input, 'file.txt')
# Pattern 2: File.join with variable
File.join('/var/www', params[:path])
File.join(base_path, user_id, filename)
# Pattern 3: send_file with variable
send_file params[:file]
send_file user.document_pathContributed by
sora fs0414 from this blog post