- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: ruby-security/no-eval
Language: Ruby
Severity: Info
Category: Security
CWE: 94
The eval
method in Ruby is used to execute a string of code at runtime, essentially treating it as a part of the program. While powerful, it exposes your code to significant security risks, as it can execute any code it’s given. This includes potentially harmful code that can alter or delete data, or interact with the system on which your Ruby program is running.
The use of eval
is considered a bad practice because it can lead to code injection attacks. An attacker can inject malicious code into the string that eval
will execute. This can lead to a variety of security vulnerabilities, such as unauthorized access to sensitive data, corruption of data, or even taking control of the entire system.
Instead of using eval
, consider using safer alternatives like send
or public_send
. These methods allow you to call methods dynamically on objects without the security risks associated with eval
. If you need to execute dynamically generated code, consider using the RubyVM::InstructionSequence
class, which can compile and execute code in a safer manner. Always validate and sanitize any user input that will be used in these methods to prevent code injection attacks.
Array.class_eval(something)
Something.module_eval(b)
eval(b)
eval(b,bindings)
eval(foo,b)
eval(foo)
RubyVM::InstructionSequence.compile(foo).eval
eval("something")
RubyVM::InstructionSequence.compile("foo")
|
|
For more information, please read the Code Analysis documentation
Identify code vulnerabilities directly in yourVS Code editor
Identify code vulnerabilities directly inJetBrains products