Sha256: fb41f98b8c4ef085482d42895cd527b457abcefe5f410e659d24b86fba1be5aa
Contents?: true
Size: 988 Bytes
Versions: 2
Compression:
Stored size: 988 Bytes
Contents
require 'railroader/checks/base_check'
# This check looks for calls to +eval+, +instance_eval+, etc. which include
# user input.
class Railroader::CheckEvaluation < Railroader::BaseCheck
Railroader::Checks.add self
@description = "Searches for evaluation of user input"
# Process calls
def run_check
Railroader.debug "Finding eval-like calls"
calls = tracker.find_call :method => [:eval, :instance_eval, :class_eval, :module_eval]
Railroader.debug "Processing eval-like calls"
calls.each do |call|
process_result call
end
end
# Warns if eval includes user input
def process_result result
return unless original? result
if input = include_user_input?(result[:call].arglist)
warn :result => result,
:warning_type => "Dangerous Eval",
:warning_code => :code_eval,
:message => "User input in eval",
:code => result[:call],
:user_input => input,
:confidence => :high
end
end
end
Version data entries
2 entries across 2 versions & 1 rubygems
| Version | Path |
|---|---|
| railroader-4.3.8 | lib/railroader/checks/check_evaluation.rb |
| railroader-4.3.7 | lib/railroader/checks/check_evaluation.rb |