Use of eval detected.

• Rule ID: ruby_lang_eval_linter
• Languages: ruby
• Source: eval_linter.yml

Description

The use of the eval function, which dynamically executes code represented as strings, poses a significant security risk in any programming environment. This is primarily because it can be exploited to run arbitrary and potentially harmful code, making the application vulnerable to code injection attacks.

Remediations

To maintain the security integrity of your application:

❌ Refrain from using eval Avoid using the eval function as it executes code that can be manipulated by an attacker. Code execution through eval can lead to various injection vulnerabilities.

✅ Explore safer alternatives to eval. Depending on the context, these might include:

• Parsing and handling data formats (like JSON) using safe libraries.
• Using functions or libraries specifically designed for the task you're trying to accomplish with eval.
• Implementing functionality directly in the language itself, rather than executing dynamically generated code.

✅ Validate and Sanitize Inputs If there's an absolute necessity to use a form of dynamic code execution, rigorously validate and sanitize all inputs to reduce the risk of malicious code execution.

✅ Use Restricted Execution Environments In scenarios where dynamic execution is unavoidable, consider running the code in a sandboxed or restricted environment where the potential impact of malicious actions is minimized.

Resources

• OWASP: Eval Injection
• MDN Web Docs: Never use eval!

Associated CWE

• CWE-94: Improper Control of Generation of Code ('Code Injection')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_eval_linter

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_eval_linter