Skip to content

Commit

Permalink
Check to see if this needs to be in sync
Browse files Browse the repository at this point in the history
  • Loading branch information
that-jill committed Nov 8, 2024
1 parent 0fb4e20 commit 21fef6b
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 2 deletions.
3 changes: 2 additions & 1 deletion packages/consent/lib/consent/dsl.rb
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,14 @@ def with_defaults(new_defaults, &block)
def eval_view(key, label, collection_conditions)
view key, label do |user|
eval(collection_conditions)
# triggering a failure
eval(collection)

Check failure on line 22 in packages/consent/lib/consent/dsl.rb

View workflow job for this annotation

GitHub Actions / Bearer Security Analysis

[rdjson] reported by reviewdog 🐶 # Usage of dangerous 'eval' function ## Description The use of the `eval` function, which dynamically executes code represented as strings, poses a high security risk in any programming environment. This is primarily because it can be exploited to run arbitrary and potentially harmful code, making the application vulnerable to code injection attacks. ## Remediations - **Do not** use the `eval` function. Its ability to execute code that can be manipulated by an attacker introduces various injection vulnerabilities. ```ruby eval("def hello_world; puts 'Hello world!'; end") ``` - **Do** explore safer alternatives to `eval`. Use language features or libraries specifically designed for the task you're trying to accomplish with `eval`. - **Do** validate and sanitize all inputs if you must use dynamic code execution. This reduces the risk of executing malicious code. - **Do** use restricted execution environments for running code dynamically if absolutely necessary. This minimizes the potential impact of malicious code execution by isolating it from the main application environment. ## References - [OWASP: Eval Injection](https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection) - [MDN Web Docs: Never use eval!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!) Raw Output: message:"\n# Usage of dangerous 'eval' function\n## Description\n\nThe use of the `eval` function, which dynamically executes code represented as strings, poses a high security risk in any programming environment. This is primarily because it can be exploited to run arbitrary and potentially harmful code, making the application vulnerable to code injection attacks.\n\n## Remediations\n\n- **Do not** use the `eval` function. Its ability to execute code that can be manipulated by an attacker introduces various injection vulnerabilities.\n ```ruby\n eval(\"def hello_world; puts 'Hello world!'; end\")\n ```\n- **Do** explore safer alternatives to `eval`. Use language features or libraries specifically designed for the task you're trying to accomplish with `eval`.\n- **Do** validate and sanitize all inputs if you must use dynamic code execution. This reduces the risk of executing malicious code.\n- **Do** use restricted execution environments for running code dynamically if absolutely necessary. This minimizes the potential impact of malicious code execution by isolating it from the main application environment.\n\n## References\n\n- [OWASP: Eval Injection](https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection)\n- [MDN Web Docs: Never use eval!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)" location:{path:"packages/consent/lib/consent/dsl.rb" range:{start:{line:22 column:9} end:{line:22 column:25}}} severity:ERROR source:{name:"Bearer" url:"https://docs.bearer.com/"} code:{value:"ruby_lang_eval_linter" url:"https://docs.bearer.com/reference/rules/ruby_lang_eval_linter"}
end
end
# rubocop:enable Lint/UnusedBlockArgument, Security/Eval

def view(key, label, instance = nil, collection = nil, &block)
collection ||= block
eval(collection)
@subject.views[key] = View.new(key, label, instance, collection)
end

Expand Down
2 changes: 1 addition & 1 deletion reviewdog.json
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"source":{"name":"Bearer","url":"https://docs.bearer.com/"},"diagnostics":[{"message":"\n# Usage of dangerous 'eval' function\n## Description\n\nThe use of the `eval` function, which dynamically executes code represented as strings, poses a high security risk in any programming environment. This is primarily because it can be exploited to run arbitrary and potentially harmful code, making the application vulnerable to code injection attacks.\n\n## Remediations\n\n- **Do not** use the `eval` function. Its ability to execute code that can be manipulated by an attacker introduces various injection vulnerabilities.\n ```ruby\n eval(\"def hello_world; puts 'Hello world!'; end\")\n ```\n- **Do** explore safer alternatives to `eval`. Use language features or libraries specifically designed for the task you're trying to accomplish with `eval`.\n- **Do** validate and sanitize all inputs if you must use dynamic code execution. This reduces the risk of executing malicious code.\n- **Do** use restricted execution environments for running code dynamically if absolutely necessary. This minimizes the potential impact of malicious code execution by isolating it from the main application environment.\n\n## References\n\n- [OWASP: Eval Injection](https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection)\n- [MDN Web Docs: Never use eval!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)","location":{"path":"packages/consent/lib/consent/dsl.rb","range":{"start":{"line":20,"column":9},"end":{"line":20,"column":36}}},"severity":"ERROR","suggestions":[],"code":{"value":"ruby_lang_eval_linter","url":"https://docs.bearer.com/reference/rules/ruby_lang_eval_linter"}}]}
{}

0 comments on commit 21fef6b

Please sign in to comment.