Use of eval detected.
- Rule ID: ruby_lang_eval_linter
- Languages: ruby
- Source: eval_linter.yml
Description
The use of the eval
function, which dynamically executes code represented as strings, poses a significant security risk in any programming environment. This is primarily because it can be exploited to run arbitrary and potentially harmful code, making the application vulnerable to code injection attacks.
Remediations
To maintain the security integrity of your application:
❌ Refrain from using eval
Avoid using the eval
function as it executes code that can be manipulated by an attacker. Code execution through eval
can lead to various injection vulnerabilities.
✅ Explore safer alternatives to eval
. Depending on the context, these might include:
- Parsing and handling data formats (like JSON) using safe libraries.
- Using functions or libraries specifically designed for the task you're trying to accomplish with
eval
. - Implementing functionality directly in the language itself, rather than executing dynamically generated code.
✅ Validate and Sanitize Inputs If there's an absolute necessity to use a form of dynamic code execution, rigorously validate and sanitize all inputs to reduce the risk of malicious code execution.
✅ Use Restricted Execution Environments In scenarios where dynamic execution is unavoidable, consider running the code in a sandboxed or restricted environment where the potential impact of malicious actions is minimized.
Resources
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=ruby_lang_eval_linter
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=ruby_lang_eval_linter
Ready to take the next step? Learn more about Bearer Cloud.