Does it provide guidance for secure file uploads?

Absolutely. It mandates validation for file types, sizes, and magic bytes, while recommending ActiveStorage and storing files outside the public directory.

How does this skill prevent SQL injection in Rails?

The skill enforces the use of hash conditions and positional placeholders in ActiveRecord queries while strictly forbidding string interpolation for any user-provided input.

When should I activate the Rails Security skill?

You should use it whenever you are building features that touch user input, handling database queries, managing authentication, or executing shell commands.

Can it help with Cross-Site Scripting (XSS)?

Yes, it provides implementation patterns for safe HTML sanitization, Content Security Policy (CSP) configuration, and prevents the use of unsafe methods like .html_safe.

Rails Security Expert

Name: Rails Security Expert
Author: zerobearing2

byzerobearing2

•

安全与测试

Protects Ruby on Rails applications from critical vulnerabilities like XSS, SQL injection, and CSRF using industry-standard security patterns.

关于

The Rails Security Expert skill provides comprehensive protection and auditing for Ruby on Rails applications. It focuses on mitigating common attack vectors including Cross-Site Scripting (XSS), SQL Injection, and command injection by enforcing strict implementation rules. The skill guides developers through secure database querying, safe user-content rendering, and robust file upload handling, ensuring that every interaction with sensitive data or user input follows the principle of least privilege and modern security best practices.

主要功能

XSS prevention via automatic escaping and allowlist-based sanitization
Secure file upload validation for types, sizes, and sanitized filenames
18 GitHub stars
SQL injection mitigation using parameterized queries and hash conditions
CSRF protection enforcement for forms and JavaScript requests
Command injection prevention via array-form system call enforcement

使用场景

Auditing and implementing secure system commands and file processing workflows
Securing displays for user-generated content and markdown rendering
Hardening ActiveRecord queries that incorporate dynamic user input

关于

主要功能

XSS prevention via automatic escaping and allowlist-based sanitization
Secure file upload validation for types, sizes, and sanitized filenames
18 GitHub stars
SQL injection mitigation using parameterized queries and hash conditions
CSRF protection enforcement for forms and JavaScript requests
Command injection prevention via array-form system call enforcement

使用场景

Auditing and implementing secure system commands and file processing workflows
Securing displays for user-generated content and markdown rendering
Hardening ActiveRecord queries that incorporate dynamic user input