Unsanitized user input in 'eval' type function

• Rule ID: java_lang_eval_using_user_input
• Languages: java
• Source: eval_using_user_input.yml

Description

Using 'eval' or similar functions with unsanitized user input poses a high security risk. This practice can result in command injection attacks, where attackers can execute arbitrary code within your application.

Remediations

• Do not use eval or similar functions with user-supplied data. This can open up your application to severe vulnerabilities.
• Do validate and sanitize all user input before using it in your code. Ensure that inputs are checked against a strict set of rules.
• Do use safer alternatives to eval for dynamic code execution needs. Consider using functions that do not execute user-supplied data as code.

References

• OWASP Code injection explained

Associated CWE

• CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_eval_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_eval_using_user_input