Hard-coded data interpreted as code¶
ID: rb/hardcoded-data-interpreted-as-code Kind: path-problem Severity: error Precision: medium Tags: - security - external/cwe/cwe-506 Query suites: - ruby-security-extended.qls - ruby-security-and-quality.qls
Interpreting hard-coded data (such as string literals containing hexadecimal numbers) as code or as an import path is typical of malicious backdoor code that has been implanted into an otherwise trusted code base and is trying to hide its true purpose from casual readers or automated scanning tools.
Examine the code in question carefully to ascertain its provenance and its true purpose. If the code is benign, it should always be possible to rewrite it without relying on dynamically interpreting data as code, improving both clarity and safety.
event-stream npm package:
def e(r) [r].pack 'H*' end # BAD: hexadecimal constant decoded and interpreted as import path require e("2e2f746573742f64617461")
While this shows only the first few lines of code, it already looks very suspicious since it takes a hard-coded string literal, hex-decodes it and then uses it as an import path. The only reason to do so is to hide the name of the file being imported.