class Brakeman::CheckEvaluation
This check looks for calls to eval
, instance_eval
, etc. which include user input.
Public Instance Methods
process_result(result)
click to toggle source
Warns if eval includes user input
# File lib/brakeman/checks/check_evaluation.rb, line 22 def process_result result return unless original? result if input = include_user_input?(result[:call].arglist) warn :result => result, :warning_type => "Dangerous Eval", :warning_code => :code_eval, :message => "User input in eval", :user_input => input, :confidence => :high end end
run_check()
click to toggle source
Process calls
# File lib/brakeman/checks/check_evaluation.rb, line 11 def run_check Brakeman.debug "Finding eval-like calls" calls = tracker.find_call methods: [:eval, :instance_eval, :class_eval, :module_eval], nested: true Brakeman.debug "Processing eval-like calls" calls.each do |call| process_result call end end