igmarin/rails-agent-skills
Curated library of AI agent skills for Ruby on Rails development. Covers code review, architecture, security, testing (RSpec), engines, service objects, DDD patterns, and workflow automation.
95
97%
Does it follow best practices?
Impact
91%
2.21xAverage score across 3 eval scenarios
Passed
No known issues
SKILL.mdrails-security-review/
- name:
- rails-security-review
- description:
- Use when reviewing Rails code for security risks, assessing authentication or authorization, auditing parameter handling, redirects, file uploads, secrets management, or checking for XSS, CSRF, SSRF, SQL injection, and other common vulnerabilities.
Rails Security Review
Use this skill when the task is to review or harden Rails code from a security perspective.
Core principle: Prioritize exploitable issues over style. Assume any untrusted input can be abused.
Quick Reference
| Area | Key Checks |
|---|---|
| Auth | Permissions on every sensitive action |
| Params | No permit!, whitelist only safe attributes |
| Queries | Parameterized — no string interpolation in SQL |
| Redirects | Constrained to relative paths or allowlist |
| Output | No html_safe/raw on user content |
| Secrets | Encrypted credentials, never in code or logs |
| Files | Validate filename, content type, destination |
Review Order
- Check authentication and authorization boundaries.
- Check parameter handling and sensitive attribute assignment.
- Check redirects, rendering, and output encoding.
- Check file handling, network calls, and background job inputs.
- Check secrets, logging, and operational exposure.
Severity Levels
High-Severity Findings
- Missing or bypassable authorization checks
- SQL, shell, YAML, or constantization injection paths
- Unsafe redirects or SSRF-capable outbound requests
- File upload handling that trusts filename, content type, or destination blindly
- Secrets or tokens stored in code, logs, or unsafe config
Medium-Severity Findings
- Unscoped mass assignment through weak parameter filtering
- User-controlled HTML rendered without clear sanitization
- Sensitive data logged in plaintext
- Security-relevant behavior hidden in callbacks or background jobs without guardrails
- Brittle custom auth logic where framework primitives would be safer
Review Checklist
- Are permissions enforced on every sensitive action?
- Are untrusted inputs validated before database, filesystem, or network use?
- Are redirects and URLs constrained?
- Are secrets stored and logged safely?
- Are security assumptions explicit and testable?
Examples
High-severity (unscoped redirect):
# Bad: user-controlled redirect
redirect_to params[:return_to]- Severity: High. Attack path: Attacker sets
return_to=https://evil.comto redirect victims. Mitigation: Redirect only to relative paths or an allowlist.
Medium-severity (mass assignment):
# Bad: permit too much
params.require(:user).permit!- Severity: Medium. Risk:
permit!allows privilege escalation. Mitigation: Permit only safe attributes; never permitrole,admin, or other privilege fields from request params.
Common Mistakes
| Mistake | Reality |
|---|---|
| "Only internal users access this" | Internal tools get compromised. Apply same security standards. |
permit! "just for now" | It will ship. Whitelist attributes from day one. |
| "Rails handles CSRF automatically" | Only if protect_from_forgery is active and tokens are verified. |
| String interpolation in SQL | SQL injection. Always use parameterized queries. |
html_safe on user content | XSS. Only use on developer-controlled strings. |
| Secrets in environment files committed to git | Use encrypted credentials. Rotate compromised secrets immediately. |
Red Flags
permit!anywhere in production code- String interpolation in
where(),find_by_sql(), orexecute() redirect_to params[:url]without validationhtml_safeorrawcalled on user-provided data- Secrets or API keys in committed files (
.env,secrets.yml) - No authorization check before destructive actions
- Background job inputs not validated (jobs are entry points too)
Output Style
Write findings first.
For each finding include:
- Severity
- Attack path or failure mode
- Affected file or area
- Smallest credible mitigation
Integration
| Skill | When to chain |
|---|---|
| rails-code-review | For full code review including non-security concerns |
| rails-architecture-review | When security issues stem from architectural problems |
| rails-migration-safety | When reviewing migration security (data exposure, constraints) |
api-rest-collection
create-prd
ddd-boundaries-review
ddd-rails-modeling
ddd-ubiquitous-language
evals
generate-tasks
rails-agent-skills
rails-architecture-review
rails-background-jobs
rails-bug-triage
rails-code-conventions
rails-code-review
rails-engine-compatibility
rails-engine-docs
rails-engine-extraction
rails-engine-installers
rails-engine-release
rails-engine-reviewer
rails-engine-testing
rails-graphql-best-practices
rails-migration-safety
rails-review-response
rails-security-review
rails-stack-conventions
rails-tdd-slices
refactor-safely
rspec-best-practices
rspec-service-testing
ruby-api-client-integration
ruby-service-objects
strategy-factory-null-calculator
ticket-planning
yard-documentation