Code injection¶
ID: rb/code-injection
Kind: path-problem
Security severity: 9.3
Severity: error
Precision: high
Tags:
- security
- external/cwe/cwe-094
- external/cwe/cwe-095
- external/cwe/cwe-116
Query suites:
- ruby-code-scanning.qls
- ruby-security-extended.qls
- ruby-security-and-quality.qls
Click to see the query in the CodeQL repository
Directly evaluating user input (for example, an HTTP request parameter) as code without first sanitizing the input allows an attacker arbitrary code execution. This can occur when user input is passed to code that interprets it as an expression to be evaluated, using methods such as Kernel.eval or Kernel.send.
Recommendation¶
Avoid including user input in any expression that may be dynamically evaluated. If user input must be included, use context-specific escaping before including it. It is important that the correct escaping is used for the type of evaluation that will occur.
Example¶
The following example shows two functions setting a name from a request. The first function uses eval to execute the set_name method. This is dangerous as it can allow a malicious user to execute arbitrary code on the server. For example, the user could supply the value "' + exec('rm -rf') + '" to destroy the server’s file system. The second function calls the set_name method directly and is thus safe.
class UsersController < ActionController::Base
# BAD - Allow user to define code to be run.
def create_bad
first_name = params[:first_name]
eval("set_name(#{first_name})")
end
# GOOD - Call code directly
def create_good
first_name = params[:first_name]
set_name(first_name)
end
def set_name(name)
@name = name
end
end
References¶
OWASP: Code Injection.
Wikipedia: Code Injection.
Common Weakness Enumeration: CWE-94.
Common Weakness Enumeration: CWE-95.
Common Weakness Enumeration: CWE-116.