Usage of dangerous 'eval' function


The use of the eval function, which dynamically executes code represented as strings, poses a high security risk in any programming environment. This is primarily because it can be exploited to run arbitrary and potentially harmful code, making the application vulnerable to code injection attacks.


  • Do not use the eval function. Its ability to execute code that can be manipulated by an attacker introduces various injection vulnerabilities.
    eval("def hello_world; puts 'Hello world!'; end")
  • Do explore safer alternatives to eval. Use language features or libraries specifically designed for the task you're trying to accomplish with eval.
  • Do validate and sanitize all inputs if you must use dynamic code execution. This reduces the risk of executing malicious code.
  • Do use restricted execution environments for running code dynamically if absolutely necessary. This minimizes the potential impact of malicious code execution by isolating it from the main application environment.


Associated CWE

OWASP Top 10


To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_eval_linter

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_eval_linter