Expand intel coverage and refresh monitoring

2026-03-18 14:18:09 -07:00
--- a/07-framework-security/frameworks/rails/cases/rails-cve-2006-4111.md
+++ b/07-framework-security/frameworks/rails/cases/rails-cve-2006-4111.md
@@ -0,0 +1,113 @@
+---
+title: "Ruby on Rails vulnerable to code injection"
+system_id: "rails"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2017-10-24T18:33:38Z"
+updated_date: "2025-04-03T14:58:34.698394Z"
+severity: "high"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2006-4111"
+  - "GHSA-rvpq-5xqx-pfpp"
+affected_versions:
+  - "1.1.0"
+  - "1.1.1"
+  - "1.1.2"
+  - "1.1.3"
+  - "1.1.4"
+  - "1.1.5"
+  - "introduced=1.1.0, fixed<1.1.6"
+fixed_versions:
+  - "1.1.6"
+secure_code_topics:
+  - "xss-output-encoding"
+  - "file-upload-validation"
+  - "authz-server-side-recheck"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2006-4111"
+---
+
+# Ruby on Rails vulnerable to code injection
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `rails--CVE-2006-4111`
+- 系统: `rails`
+- 严重度: `high`
+- 来源置信度: `official`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2006-4111
+- 影响版本: `1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, introduced=1.1.0, fixed<1.1.6`
+- 修复版本: `1.1.6`
+
+## 其他来源
+
+- http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html
+- https://github.com/presidentbeef/rails-security-history/blob/master/vulnerabilities.md
+- https://github.com/rails/rails
+- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4111.yml
+- https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454
+- https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673
+- http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits
+- http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml
+- http://www.novell.com/linux/security/advisories/2006_21_sr.html
+- http://secunia.com/advisories/21466
+- http://secunia.com/advisories/21749
+- http://securitytracker.com/id?1016673
+- http://www.securityfocus.com/bid/19454
+- http://www.vupen.com/english/advisories/2006/3237
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
--- a/07-framework-security/frameworks/rails/cases/rails-cve-2006-4112.md
+++ b/07-framework-security/frameworks/rails/cases/rails-cve-2006-4112.md
@@ -0,0 +1,124 @@
+---
+title: "Rails Denial of Service vulnerability"
+system_id: "rails"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2017-10-24T18:33:38Z"
+updated_date: "2025-04-03T15:46:47.783301Z"
+severity: "high"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2006-4112"
+  - "GHSA-9wrq-xvmp-xjc8"
+affected_versions:
+  - "1.1.0"
+  - "1.1.1"
+  - "1.1.2"
+  - "1.1.3"
+  - "1.1.4"
+  - "1.1.5"
+  - "introduced=1.1.0, fixed<1.1.6"
+fixed_versions:
+  - "1.1.6"
+secure_code_topics:
+  - "xss-output-encoding"
+  - "file-upload-validation"
+  - "authz-server-side-recheck"
+  - "dependency-upgrade-policy"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2006-4112"
+---
+
+# Rails Denial of Service vulnerability
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `rails--CVE-2006-4112`
+- 系统: `rails`
+- 严重度: `high`
+- 来源置信度: `official`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2006-4112
+- 影响版本: `1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, introduced=1.1.0, fixed<1.1.6`
+- 修复版本: `1.1.6`
+
+## 其他来源
+
+- http://secunia.com/advisories/21424
+- https://exchange.xforce.ibmcloud.com/vulnerabilities/28364
+- https://github.com/rails/rails
+- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4112.yml
+- https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454
+- https://web.archive.org/web/20200804225700/http://www.securityfocus.com/archive/1/442934/100/0/threaded
+- https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673
+- http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure
+- http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml
+- http://www.kb.cert.org/vuls/id/699540
+- http://www.novell.com/linux/security/advisories/2006_21_sr.html
+- http://secunia.com/advisories/21466
+- http://secunia.com/advisories/21749
+- http://securitytracker.com/id?1016673
+- http://www.securityfocus.com/archive/1/442934/100/0/threaded
+- http://www.securityfocus.com/bid/19454
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)
--- a/07-framework-security/frameworks/rails/cases/rails-cve-2007-3227.md
+++ b/07-framework-security/frameworks/rails/cases/rails-cve-2007-3227.md
@@ -0,0 +1,128 @@
+---
+title: "Moderate severity vulnerability that affects rails"
+system_id: "rails"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2017-10-24T18:33:38Z"
+updated_date: "2025-04-09T15:30:21.670801Z"
+severity: "medium"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2007-3227"
+  - "GHSA-gm25-fpmr-43fj"
+affected_versions:
+  - "0.10.0"
+  - "0.10.1"
+  - "0.11.0"
+  - "0.11.1"
+  - "0.12.0"
+  - "0.12.1"
+  - "0.13.0"
+  - "0.13.1"
+  - "0.14.1"
+  - "0.14.2"
+  - "0.14.3"
+  - "0.14.4"
+  - "0.8.0"
+  - "0.8.5"
+  - "0.9.0"
+  - "0.9.1"
+  - "0.9.2"
+  - "0.9.3"
+  - "0.9.4"
+  - "0.9.4.1"
+fixed_versions:
+  - "1.2.5"
+secure_code_topics:
+  - "xss-output-encoding"
+  - "file-upload-validation"
+  - "authz-server-side-recheck"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2007-3227"
+---
+
+# Moderate severity vulnerability that affects rails
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `rails--CVE-2007-3227`
+- 系统: `rails`
+- 严重度: `medium`
+- 来源置信度: `official`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2007-3227
+- 影响版本: `0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.12.0, 0.12.1, 0.13.0, 0.13.1, 0.14.1, 0.14.2`
+- 修复版本: `1.2.5`
+
+## 其他来源
+
+- http://bugs.gentoo.org/show_bug.cgi?id=195315
+- https://github.com/advisories/GHSA-gm25-fpmr-43fj
+- https://github.com/rails/rails
+- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-3227.yml
+- http://dev.rubyonrails.org/ticket/8371
+- http://osvdb.org/36378
+- http://pastie.caboo.se/65550.txt
+- http://secunia.com/advisories/25699
+- http://secunia.com/advisories/27657
+- http://secunia.com/advisories/27756
+- http://security.gentoo.org/glsa/glsa-200711-17.xml
+- http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release
+- http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
+- http://www.novell.com/linux/security/advisories/2007_24_sr.html
+- http://www.securityfocus.com/bid/24161
+- http://www.vupen.com/english/advisories/2007/2216
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
--- a/07-framework-security/frameworks/rails/cases/rails-cve-2007-5379.md
+++ b/07-framework-security/frameworks/rails/cases/rails-cve-2007-5379.md
@@ -0,0 +1,129 @@
+---
+title: "Moderate severity vulnerability that affects rails"
+system_id: "rails"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2017-10-24T18:33:38Z"
+updated_date: "2025-05-01T18:49:06.777708Z"
+severity: "medium"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2007-5379"
+  - "GHSA-fjfg-q662-gm6j"
+affected_versions:
+  - "0.10.0"
+  - "0.10.1"
+  - "0.11.0"
+  - "0.11.1"
+  - "0.12.0"
+  - "0.12.1"
+  - "0.13.0"
+  - "0.13.1"
+  - "0.14.1"
+  - "0.14.2"
+  - "0.14.3"
+  - "0.14.4"
+  - "0.8.0"
+  - "0.8.5"
+  - "0.9.0"
+  - "0.9.1"
+  - "0.9.2"
+  - "0.9.3"
+  - "0.9.4"
+  - "0.9.4.1"
+fixed_versions:
+  - "1.2.4"
+secure_code_topics:
+  - "xss-output-encoding"
+  - "file-upload-validation"
+  - "authz-server-side-recheck"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2007-5379"
+---
+
+# Moderate severity vulnerability that affects rails
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `rails--CVE-2007-5379`
+- 系统: `rails`
+- 严重度: `medium`
+- 来源置信度: `official`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2007-5379
+- 影响版本: `0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.12.0, 0.12.1, 0.13.0, 0.13.1, 0.14.1, 0.14.2`
+- 修复版本: `1.2.4`
+
+## 其他来源
+
+- http://bugs.gentoo.org/show_bug.cgi?id=195315
+- https://github.com/rails/rails
+- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-5379.yml
+- https://rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
+- https://web.archive.org/web/20090602000500/http://dev.rubyonrails.org/ticket/8453
+- http://docs.info.apple.com/article.html?artnum=307179
+- http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
+- http://security.gentoo.org/glsa/glsa-200711-17.xml
+- http://www.us-cert.gov/cas/techalerts/TA07-352A.html
+- http://www.vupen.com/english/advisories/2007/3508
+- http://www.vupen.com/english/advisories/2007/4238
+- http://dev.rubyonrails.org/ticket/8453
+- http://osvdb.org/40717
+- http://secunia.com/advisories/27657
+- http://secunia.com/advisories/28136
+- http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
+- http://www.securityfocus.com/bid/26096
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
--- a/07-framework-security/frameworks/rails/cases/rails-cve-2007-5380.md
+++ b/07-framework-security/frameworks/rails/cases/rails-cve-2007-5380.md
@@ -0,0 +1,137 @@
+---
+title: "Session fixation vulnerability in Rails "
+system_id: "rails"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2017-10-24T18:33:38Z"
+updated_date: "2025-04-09T15:30:02.622007Z"
+severity: "medium"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2007-5380"
+  - "GHSA-jwhv-rgqc-fqj5"
+affected_versions:
+  - "0.10.0"
+  - "0.10.1"
+  - "0.11.0"
+  - "0.11.1"
+  - "0.12.0"
+  - "0.12.1"
+  - "0.13.0"
+  - "0.13.1"
+  - "0.14.1"
+  - "0.14.2"
+  - "0.14.3"
+  - "0.14.4"
+  - "0.8.0"
+  - "0.8.5"
+  - "0.9.0"
+  - "0.9.1"
+  - "0.9.2"
+  - "0.9.3"
+  - "0.9.4"
+  - "0.9.4.1"
+fixed_versions:
+  - "1.2.4"
+secure_code_topics:
+  - "xss-output-encoding"
+  - "file-upload-validation"
+  - "authz-server-side-recheck"
+  - "token-cookie-storage"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2007-5380"
+---
+
+# Session fixation vulnerability in Rails 
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `rails--CVE-2007-5380`
+- 系统: `rails`
+- 严重度: `medium`
+- 来源置信度: `official`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2007-5380
+- 影响版本: `0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.12.0, 0.12.1, 0.13.0, 0.13.1, 0.14.1, 0.14.2`
+- 修复版本: `1.2.4`
+
+## 其他来源
+
+- http://bugs.gentoo.org/show_bug.cgi?id=195315
+- https://github.com/advisories/GHSA-jwhv-rgqc-fqj5
+- https://github.com/rails/rails
+- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-5380.yml
+- http://docs.info.apple.com/article.html?artnum=307179
+- http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
+- http://secunia.com/advisories/27657
+- http://secunia.com/advisories/27965
+- http://secunia.com/advisories/28136
+- http://security.gentoo.org/glsa/glsa-200711-17.xml
+- http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
+- http://www.novell.com/linux/security/advisories/2007_25_sr.html
+- http://www.securityfocus.com/bid/26096
+- http://www.us-cert.gov/cas/techalerts/TA07-352A.html
+- http://www.vupen.com/english/advisories/2007/3508
+- http://www.vupen.com/english/advisories/2007/4238
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
--- a/07-framework-security/frameworks/rails/cases/rails-cve-2007-6077.md
+++ b/07-framework-security/frameworks/rails/cases/rails-cve-2007-6077.md
@@ -0,0 +1,135 @@
+---
+title: "session fixation protection mechanism in cgi_process.rb in Rails"
+system_id: "rails"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2017-10-24T18:33:38Z"
+updated_date: "2025-04-09T15:55:51.425352Z"
+severity: "medium"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2007-6077"
+  - "GHSA-p4c6-77gc-694x"
+affected_versions:
+  - "0.10.0"
+  - "0.10.1"
+  - "0.11.0"
+  - "0.11.1"
+  - "0.12.0"
+  - "0.12.1"
+  - "0.13.0"
+  - "0.13.1"
+  - "0.14.1"
+  - "0.14.2"
+  - "0.14.3"
+  - "0.14.4"
+  - "0.8.0"
+  - "0.8.5"
+  - "0.9.0"
+  - "0.9.1"
+  - "0.9.2"
+  - "0.9.3"
+  - "0.9.4"
+  - "0.9.4.1"
+fixed_versions:
+  - "1.2.6"
+secure_code_topics:
+  - "xss-output-encoding"
+  - "file-upload-validation"
+  - "authz-server-side-recheck"
+  - "token-cookie-storage"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2007-6077"
+---
+
+# session fixation protection mechanism in cgi_process.rb in Rails
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `rails--CVE-2007-6077`
+- 系统: `rails`
+- 严重度: `medium`
+- 来源置信度: `official`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2007-6077
+- 影响版本: `0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.12.0, 0.12.1, 0.13.0, 0.13.1, 0.14.1, 0.14.2`
+- 修复版本: `1.2.6`
+
+## 其他来源
+
+- http://dev.rubyonrails.org/changeset/8177
+- https://github.com/advisories/GHSA-p4c6-77gc-694x
+- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-6077.yml
+- https://rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release
+- http://dev.rubyonrails.org/ticket/10048
+- http://docs.info.apple.com/article.html?artnum=307179
+- http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
+- http://secunia.com/advisories/27781
+- http://secunia.com/advisories/28136
+- http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release
+- http://www.securityfocus.com/bid/26598
+- http://www.us-cert.gov/cas/techalerts/TA07-352A.html
+- http://www.vupen.com/english/advisories/2007/4009
+- http://www.vupen.com/english/advisories/2007/4238
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
--- a/07-framework-security/frameworks/rails/cases/rails-cve-2008-5189.md
+++ b/07-framework-security/frameworks/rails/cases/rails-cve-2008-5189.md
@@ -0,0 +1,119 @@
+---
+title: "rails is vulnerable to CRLF injection"
+system_id: "rails"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2017-10-24T18:33:38Z"
+updated_date: "2025-04-09T17:02:22.936736Z"
+severity: "medium"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2008-5189"
+  - "GHSA-jmgf-p46x-982h"
+affected_versions:
+  - "0.10.0"
+  - "0.10.1"
+  - "0.11.0"
+  - "0.11.1"
+  - "0.12.0"
+  - "0.12.1"
+  - "0.13.0"
+  - "0.13.1"
+  - "0.14.1"
+  - "0.14.2"
+  - "0.14.3"
+  - "0.14.4"
+  - "0.8.0"
+  - "0.8.5"
+  - "0.9.0"
+  - "0.9.1"
+  - "0.9.2"
+  - "0.9.3"
+  - "0.9.4"
+  - "0.9.4.1"
+fixed_versions:
+  - "2.0.5"
+secure_code_topics:
+  - "xss-output-encoding"
+  - "file-upload-validation"
+  - "authz-server-side-recheck"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2008-5189"
+---
+
+# rails is vulnerable to CRLF injection
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `rails--CVE-2008-5189`
+- 系统: `rails`
+- 严重度: `medium`
+- 来源置信度: `official`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2008-5189
+- 影响版本: `0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.12.0, 0.12.1, 0.13.0, 0.13.1, 0.14.1, 0.14.2`
+- 修复版本: `2.0.5`
+
+## 其他来源
+
+- http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d
+- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2008-5189.yml
+- http://github.com/rails/rails
+- http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
+- http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing
+- http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk
+- http://www.securityfocus.com/bid/32359
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
--- a/07-framework-security/frameworks/rails/cases/rails-cve-2009-4214.md
+++ b/07-framework-security/frameworks/rails/cases/rails-cve-2009-4214.md
@@ -0,0 +1,140 @@
+---
+title: "Moderate severity vulnerability that affects rails"
+system_id: "rails"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2017-10-24T18:33:38Z"
+updated_date: "2025-04-09T20:05:53.148849Z"
+severity: "medium"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2009-4214"
+  - "GHSA-9p3v-wf2w-v29c"
+affected_versions:
+  - "0.10.0"
+  - "0.10.1"
+  - "0.11.0"
+  - "0.11.1"
+  - "0.12.0"
+  - "0.12.1"
+  - "0.13.0"
+  - "0.13.1"
+  - "0.14.1"
+  - "0.14.2"
+  - "0.14.3"
+  - "0.14.4"
+  - "0.8.0"
+  - "0.8.5"
+  - "0.9.0"
+  - "0.9.1"
+  - "0.9.2"
+  - "0.9.3"
+  - "0.9.4"
+  - "0.9.4.1"
+fixed_versions:
+  - "2.2.2"
+  - "2.3.5"
+secure_code_topics:
+  - "xss-output-encoding"
+  - "file-upload-validation"
+  - "authz-server-side-recheck"
+  - "token-cookie-storage"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2009-4214"
+---
+
+# Moderate severity vulnerability that affects rails
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `rails--CVE-2009-4214`
+- 系统: `rails`
+- 严重度: `medium`
+- 来源置信度: `official`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2009-4214
+- 影响版本: `0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.12.0, 0.12.1, 0.13.0, 0.13.1, 0.14.1, 0.14.2`
+- 修复版本: `2.2.2, 2.3.5`
+
+## 其他来源
+
+- http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5
+- https://github.com/advisories/GHSA-9p3v-wf2w-v29c
+- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-4214.yml
+- http://github.com/rails/rails
+- http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1
+- http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
+- http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
+- http://secunia.com/advisories/37446
+- http://secunia.com/advisories/38915
+- http://support.apple.com/kb/HT4077
+- http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released
+- http://www.debian.org/security/2011/dsa-2260
+- http://www.debian.org/security/2011/dsa-2301
+- http://www.openwall.com/lists/oss-security/2009/11/27/2
+- http://www.openwall.com/lists/oss-security/2009/12/08/3
+- http://www.securityfocus.com/bid/37142
+- http://www.securitytracker.com/id?1023245
+- http://www.vupen.com/english/advisories/2009/3352
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
--- a/07-framework-security/frameworks/rails/cases/rails-cve-2014-0081.md
+++ b/07-framework-security/frameworks/rails/cases/rails-cve-2014-0081.md
@@ -0,0 +1,124 @@
+---
+title: "Rails vulnerable to Cross-site Scripting"
+system_id: "rails"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2017-10-24T18:33:36Z"
+updated_date: "2024-12-08T05:43:59.579843Z"
+severity: "unknown"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2014-0081"
+  - "GHSA-m46p-ggm5-5j83"
+affected_versions:
+  - "3.0.0"
+  - "3.0.1"
+  - "3.0.10"
+  - "3.0.10.rc1"
+  - "3.0.11"
+  - "3.0.12"
+  - "3.0.12.rc1"
+  - "3.0.13"
+  - "3.0.13.rc1"
+  - "3.0.14"
+  - "3.0.15"
+  - "3.0.16"
+  - "3.0.17"
+  - "3.0.18"
+  - "3.0.19"
+  - "3.0.2"
+  - "3.0.20"
+  - "3.0.3"
+  - "3.0.4"
+  - "3.0.4.rc1"
+fixed_versions:
+  - "3.2.17"
+  - "4.0.3"
+secure_code_topics:
+  - "xss-output-encoding"
+  - "file-upload-validation"
+  - "authz-server-side-recheck"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2014-0081"
+---
+
+# Rails vulnerable to Cross-site Scripting
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `rails--CVE-2014-0081`
+- 系统: `rails`
+- 严重度: `unknown`
+- 来源置信度: `official`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2014-0081
+- 影响版本: `3.0.0, 3.0.1, 3.0.10, 3.0.10.rc1, 3.0.11, 3.0.12, 3.0.12.rc1, 3.0.13, 3.0.13.rc1, 3.0.14`
+- 修复版本: `3.2.17, 4.0.3`
+
+## 其他来源
+
+- https://github.com/rails/rails/commit/08d0a11a3f62718d601d39e617c834759cf59bbb
+- https://github.com/rails/rails
+- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0081.yml
+- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2014-0081.yml
+- https://web.archive.org/web/20140911141416/http://www.securitytracker.com/id/1029782
+- https://web.archive.org/web/20170307202606/http://www.securityfocus.com/bid/65647
+- https://web.archive.org/web/20201207045136/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ
+- http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html
+- http://openwall.com/lists/oss-security/2014/02/18/8
+- http://rhn.redhat.com/errata/RHSA-2014-0215.html
+- http://rhn.redhat.com/errata/RHSA-2014-0306.html
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
--- a/07-framework-security/frameworks/rails/cases/rails-cve-2024-26143.md
+++ b/07-framework-security/frameworks/rails/cases/rails-cve-2024-26143.md
@@ -0,0 +1,121 @@
+---
+title: "Rails has possible XSS Vulnerability in Action Controller"
+system_id: "rails"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2024-02-27T21:41:12Z"
+updated_date: "2024-12-20T10:42:26.578616Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "BIT-rails-2024-26143"
+  - "CVE-2024-26143"
+  - "GHSA-9822-6m93-xqf4"
+affected_versions:
+  - "7.0.0"
+  - "7.0.1"
+  - "7.0.2"
+  - "7.0.2.1"
+  - "7.0.2.2"
+  - "7.0.2.3"
+  - "7.0.2.4"
+  - "7.0.3"
+  - "7.0.3.1"
+  - "7.0.4"
+  - "7.0.4.1"
+  - "7.0.4.2"
+  - "7.0.4.3"
+  - "7.0.5"
+  - "7.0.5.1"
+  - "7.0.6"
+  - "7.0.7"
+  - "7.0.7.1"
+  - "7.0.7.2"
+  - "7.0.8"
+fixed_versions:
+  - "7.0.8.1"
+  - "7.1.3.1"
+secure_code_topics:
+  - "xss-output-encoding"
+  - "file-upload-validation"
+  - "authz-server-side-recheck"
+primary_source: "https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4"
+---
+
+# Rails has possible XSS Vulnerability in Action Controller
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `rails--CVE-2024-26143`
+- 系统: `rails`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4
+- 影响版本: `7.0.0, 7.0.1, 7.0.2, 7.0.2.1, 7.0.2.2, 7.0.2.3, 7.0.2.4, 7.0.3, 7.0.3.1, 7.0.4`
+- 修复版本: `7.0.8.1, 7.1.3.1`
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2024-26143
+- https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc
+- https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e
+- https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947
+- https://github.com/rails/rails
+- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml
+- https://security.netapp.com/advisory/ntap-20240510-0004
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)