Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Description
The `eval` method in Ruby executes a string argument as Ruby code. When `eval` is used with input that can be controlled or manipulated by an external user, it can allow arbitrary code execution. This means an attacker could potentially execute malicious code on the server, leading to unauthorized access, data leakage, or server compromise.
Examples
Insecure Code
ruby
eval(user_input)Secure Code
ruby
calculator.send(method, a, b)Remediation
Validate and sanitize input, and consider using safer alternatives to `eval`, such as `send` for calling methods dynamically or employing DSLs and safe parsing libraries designed for specific tasks.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0529 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-95 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | eval, injection, ruby |
| OWASP | A1:2017-Injection, A03:2021-Injection |
References
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/lang/security/no-eval.yaml
- https://owasp.org/Top10/A03_2021-Injection