Unsanitized user input in 'eval' type function

• Rule ID: ruby_lang_eval_using_user_input
• Languages: ruby
• Source: eval_using_user_input.yml

Description

Executing code with 'eval' or similar functions using unsanitized user input is risky and can lead to code injection vulnerabilities. This happens when external input is used directly in functions that execute code, allowing attackers to run malicious code within your application.

Remediations

• Do not use eval or similar code execution functions with unsanitized user input. This can create a significant security risk by allowing code injection.
• Do use dynamic hardcoded values instead of direct user input to mitigate the risk of code injection. This approach allows for controlled execution of code without exposing your application to injected malicious code.

  get_total_str = if params["include_vat"]
    "def get_total(a,b,c); a + b + c; end"
  else
    "def get_total(a,b); a + b; end"
  end
  
  cart.instance_eval(get_total_str)

References

• OWASP Code injection explained

Associated CWE

• CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_eval_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_eval_using_user_input