This check looks for calls to eval, instance_eval, etc. which include user input.
Warns if eval includes user input
# File lib/brakeman/checks/check_evaluation.rb, line 22 def process_result result if input = include_user_input?(result[:call].arglist) warn :result => result, :warning_type => "Dangerous Eval", :message => "User input in eval", :code => result[:call], :user_input => input.match, :confidence => CONFIDENCE[:high] end end
Process calls
# File lib/brakeman/checks/check_evaluation.rb, line 11 def run_check Brakeman.debug "Finding eval-like calls" calls = tracker.find_call :method => [:eval, :instance_eval, :class_eval, :module_eval] Brakeman.debug "Processing eval-like calls" calls.each do |call| process_result call end end
Generated with the Darkfish Rdoc Generator 2.