Skip to content

Latest commit

 

History

History
23 lines (14 loc) · 698 Bytes

Security-Eval.md

File metadata and controls

23 lines (14 loc) · 698 Bytes

Pattern: Use of eval

Issue: -

Description

Never pass untrusted or user controlled input to eval.

Unless you are implementing a REPL like irb or pry, eval is almost certainly not what you want. Do not attempt to filter user input before passing it to eval - this approach is fraught with danger and will most likely open your application up to a serious remote code execution vulnerability.

Examples

# bad

eval(something)
binding.eval(something)

Further Reading