Class: RuboCop::Cop::Security::Eval

Inherits:

Base

• Object
• Base
• RuboCop::Cop::Security::Eval

Defined in:

lib/rubocop/cop/security/eval.rb

Overview

Checks for the use of ‘Kernel#eval` and `Binding#eval` with dynamic strings as arguments. Evaluating non-literal strings can enable code injection attacks and makes it difficult to reason about what code will actually be executed.

Calls to eval with literal strings are not flagged by this cop, as they do not pose the same injection risk.

Examples:

# bad
eval(something)
binding.eval(something)
Kernel.eval(something)

# good - use safer alternatives
obj.public_send(method_name)
obj.send(method_name, *args)

# good - literal strings are allowed
eval("1 + 1")
binding.eval("foo")

Constant Summary

MSG =

'The use of `eval` is a serious security risk.'

RESTRICT_ON_SEND =

%i[eval].freeze

Instance Attribute Summary

Attributes inherited from Base

#config, #processed_source

Instance Method Summary

• #eval?(node) ⇒ Object
• #on_send(node) ⇒ Object

Methods inherited from Base

#active_support_extensions_enabled?, #add_global_offense, #add_offense, #always_autocorrect?, autocorrect_incompatible_with, badge, #begin_investigation, #callbacks_needed, callbacks_needed, #config_to_allow_offenses, #config_to_allow_offenses=, #contextual_autocorrect?, #cop_config, #cop_name, cop_name, department, documentation_url, exclude_from_registry, #excluded_file?, #external_dependency_checksum, inherited, #initialize, #inspect, joining_forces, lint?, match?, #message, #offenses, #on_investigation_end, #on_new_investigation, #on_other_file, #parse, #parser_engine, #ready, #relevant_file?, requires_gem, #string_literals_frozen_by_default?, support_autocorrect?, support_multiple_source?, #target_gem_version, #target_rails_version, #target_ruby_version

Methods included from ExcludeLimit

#exclude_limit

Methods included from AutocorrectLogic

#autocorrect?, #autocorrect_enabled?, #autocorrect_requested?, #autocorrect_with_disable_uncorrectable?, #correctable?, #disable_uncorrectable?, #safe_autocorrect?

Methods included from IgnoredNode

#ignore_node, #ignored_node?, #part_of_ignored_node?

Methods included from Util

silence_warnings

Constructor Details

This class inherits a constructor from RuboCop::Cop::Base

Instance Method Details

#eval?(node) ⇒ Object

# File 'lib/rubocop/cop/security/eval.rb', line 33

def_node_matcher :eval?, <<~PATTERN
  (send {nil? (send nil? :binding) (const {cbase nil?} :Kernel)} :eval $!str ...)
PATTERN

#on_send(node) ⇒ Object

# File 'lib/rubocop/cop/security/eval.rb', line 37

def on_send(node)
  eval?(node) do |code|
    return if code.dstr_type? && code.recursive_literal?

    add_offense(node.loc.selector)
  end
end