---
title: Avoid use of eval
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Avoid use of eval
---

# Avoid use of eval

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `ruby-security/no-eval`

**Language:** Ruby

**Severity:** Info

**Category:** Security

**CWE**: [94](https://cwe.mitre.org/data/definitions/94.html)

**Related CWEs**:

- [96](https://cwe.mitre.org/data/definitions/96.html)
- [1336](https://cwe.mitre.org/data/definitions/1336.html)

## Description{% #description %}

The `eval` method in Ruby is used to execute a string of code at runtime, essentially treating it as a part of the program. While powerful, it exposes your code to significant security risks, as it can execute any code it's given. This includes potentially harmful code that can alter or delete data, or interact with the system on which your Ruby program is running.

The use of `eval` is considered a bad practice because it can lead to code injection attacks. An attacker can inject malicious code into the string that `eval` will execute. This can lead to a variety of security vulnerabilities, such as unauthorized access to sensitive data, corruption of data, or even taking control of the entire system.

Instead of using `eval`, consider using safer alternatives like `send` or `public_send`. These methods allow you to call methods dynamically on objects without the security risks associated with `eval`. If you need to execute dynamically generated code, consider using the `RubyVM::InstructionSequence` class, which can compile and execute code in a safer manner. Always validate and sanitize any user input that will be used in these methods to prevent code injection attacks.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```ruby
Array.class_eval(something)
Something.module_eval(b)
eval(b)
eval(b,bindings)
eval(foo,b)
eval(foo)
RubyVM::InstructionSequence.compile(foo).eval
```

## Compliant Code Examples{% #compliant-code-examples %}

```ruby
eval("something")
RubyVM::InstructionSequence.compile("foo")
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}