Use of eval detected.
- Rule ID: ruby_lang_eval_linter
- Languages: ruby
- Source: eval_linter.yml
The use of the
eval function, which dynamically executes code represented as strings, poses a significant security risk in any programming environment. This is primarily because it can be exploited to run arbitrary and potentially harmful code, making the application vulnerable to code injection attacks.
To maintain the security integrity of your application:
❌ Refrain from using
Avoid using the
eval function as it executes code that can be manipulated by an attacker. Code execution through
eval can lead to various injection vulnerabilities.
✅ Explore safer alternatives to
eval. Depending on the context, these might include:
- Parsing and handling data formats (like JSON) using safe libraries.
- Using functions or libraries specifically designed for the task you're trying to accomplish with
- Implementing functionality directly in the language itself, rather than executing dynamically generated code.
✅ Validate and Sanitize Inputs If there's an absolute necessity to use a form of dynamic code execution, rigorously validate and sanitize all inputs to reduce the risk of malicious code execution.
✅ Use Restricted Execution Environments In scenarios where dynamic execution is unavoidable, consider running the code in a sandboxed or restricted environment where the potential impact of malicious actions is minimized.
OWASP Top 10
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=ruby_lang_eval_linter
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=ruby_lang_eval_linter
Ready to take the next step? Learn more about Bearer Cloud.