Usage of dangerous 'eval' function

• Rule ID: ruby_lang_eval_linter
• Languages: ruby
• Source: eval_linter.yml

Description

The use of the eval function, which dynamically executes code represented as strings, poses a high security risk in any programming environment. This is primarily because it can be exploited to run arbitrary and potentially harmful code, making the application vulnerable to code injection attacks.

Remediations

• Do not use the eval function. Its ability to execute code that can be manipulated by an attacker introduces various injection vulnerabilities.

  eval("def hello_world; puts 'Hello world!'; end")

• Do explore safer alternatives to eval. Use language features or libraries specifically designed for the task you're trying to accomplish with eval.
• Do validate and sanitize all inputs if you must use dynamic code execution. This reduces the risk of executing malicious code.
• Do use restricted execution environments for running code dynamically if absolutely necessary. This minimizes the potential impact of malicious code execution by isolating it from the main application environment.

References

• OWASP: Eval Injection
• MDN Web Docs: Never use eval!

Associated CWE

• CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_eval_linter

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_eval_linter