From 5249e4b2f3b9bcba465d53fe767e550574411522 Mon Sep 17 00:00:00 2001 From: elsapet Date: Mon, 13 Nov 2023 11:40:42 +0200 Subject: [PATCH] fix: update description for existing eval rule --- rules/ruby/lang/eval_using_user_input.yml | 8 +-- .../__snapshots__/test.js.snap | 54 +++++++++---------- 2 files changed, 31 insertions(+), 31 deletions(-) diff --git a/rules/ruby/lang/eval_using_user_input.yml b/rules/ruby/lang/eval_using_user_input.yml index 3c73d6312..ad501400e 100644 --- a/rules/ruby/lang/eval_using_user_input.yml +++ b/rules/ruby/lang/eval_using_user_input.yml @@ -38,7 +38,7 @@ metadata: description: "Potential command injection with user input detected." remediation_message: | ## Description - It is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection. + It is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection. ## Remediations ❌ Avoid using code execution methods with unsanitized user input. @@ -47,12 +47,12 @@ metadata: ```ruby get_total_str = if params["include_vat"] - "def dynamic(a,b,c); a + b + c; end" + "def get_total(a,b,c); a + b + c; end" else - "def dynamic(a,b); a + b; end" + "def get_total(a,b); a + b; end" end - get_total = eval(get_total_str) + cart.instance_eval(get_total_str) ``` ## Resources diff --git a/tests/ruby/lang/eval_using_user_input/__snapshots__/test.js.snap b/tests/ruby/lang/eval_using_user_input/__snapshots__/test.js.snap index 60ffee539..f92ec9e53 100644 --- a/tests/ruby/lang/eval_using_user_input/__snapshots__/test.js.snap +++ b/tests/ruby/lang/eval_using_user_input/__snapshots__/test.js.snap @@ -12,7 +12,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_event 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 2, "full_filename": "/tmp/bearer-scan/unsafe_event.rb", @@ -47,7 +47,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_event 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 4, "full_filename": "/tmp/bearer-scan/unsafe_event.rb", @@ -82,7 +82,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_event 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 6, "full_filename": "/tmp/bearer-scan/unsafe_event.rb", @@ -117,7 +117,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_event 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 8, "full_filename": "/tmp/bearer-scan/unsafe_event.rb", @@ -152,7 +152,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_event 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 10, "full_filename": "/tmp/bearer-scan/unsafe_event.rb", @@ -187,7 +187,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_event 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 12, "full_filename": "/tmp/bearer-scan/unsafe_event.rb", @@ -222,7 +222,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_event 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 14, "full_filename": "/tmp/bearer-scan/unsafe_event.rb", @@ -257,7 +257,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_event 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 16, "full_filename": "/tmp/bearer-scan/unsafe_event.rb", @@ -292,7 +292,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_event 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 18, "full_filename": "/tmp/bearer-scan/unsafe_event.rb", @@ -334,7 +334,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_params 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 1, "full_filename": "/tmp/bearer-scan/unsafe_params.rb", @@ -369,7 +369,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_params 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 3, "full_filename": "/tmp/bearer-scan/unsafe_params.rb", @@ -404,7 +404,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_params 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 5, "full_filename": "/tmp/bearer-scan/unsafe_params.rb", @@ -439,7 +439,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_params 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 7, "full_filename": "/tmp/bearer-scan/unsafe_params.rb", @@ -474,7 +474,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_params 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 9, "full_filename": "/tmp/bearer-scan/unsafe_params.rb", @@ -509,7 +509,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_params 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 11, "full_filename": "/tmp/bearer-scan/unsafe_params.rb", @@ -544,7 +544,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_params 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 13, "full_filename": "/tmp/bearer-scan/unsafe_params.rb", @@ -579,7 +579,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_params 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 15, "full_filename": "/tmp/bearer-scan/unsafe_params.rb", @@ -614,7 +614,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_params 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 17, "full_filename": "/tmp/bearer-scan/unsafe_params.rb", @@ -656,7 +656,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_request 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 1, "full_filename": "/tmp/bearer-scan/unsafe_request.rb", @@ -691,7 +691,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_request 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 3, "full_filename": "/tmp/bearer-scan/unsafe_request.rb", @@ -726,7 +726,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_request 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 5, "full_filename": "/tmp/bearer-scan/unsafe_request.rb", @@ -761,7 +761,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_request 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 7, "full_filename": "/tmp/bearer-scan/unsafe_request.rb", @@ -796,7 +796,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_request 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 9, "full_filename": "/tmp/bearer-scan/unsafe_request.rb", @@ -831,7 +831,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_request 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 11, "full_filename": "/tmp/bearer-scan/unsafe_request.rb", @@ -866,7 +866,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_request 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 13, "full_filename": "/tmp/bearer-scan/unsafe_request.rb", @@ -901,7 +901,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_request 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 15, "full_filename": "/tmp/bearer-scan/unsafe_request.rb", @@ -936,7 +936,7 @@ exports[`ruby_lang_eval_using_user_input unsafe_request 1`] = ` ], "id": "ruby_lang_eval_using_user_input", "title": "Potential command injection with user input detected.", - "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to command injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def dynamic(a,b,c); a + b + c; end\\"\\nelse\\n \\"def dynamic(a,b); a + b; end\\"\\nend\\n\\nget_total = eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", + "description": "## Description\\nIt is dangerous to use eval with user input, or to compile code with user-supplied data. Such practices can lead to code injection.\\n\\n## Remediations\\n❌ Avoid using code execution methods with unsanitized user input.\\n\\nIt might be possible to use dynamic hardcoded values, instead of user input directly.\\n\\n\`\`\`ruby\\nget_total_str = if params[\\"include_vat\\"]\\n \\"def get_total(a,b,c); a + b + c; end\\"\\nelse\\n \\"def get_total(a,b); a + b; end\\"\\nend\\n\\ncart.instance_eval(get_total_str)\\n\`\`\`\\n\\n## Resources\\n- [OWASP Code injection explained](https://owasp.org/www-community/attacks/Code_Injection)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/ruby_lang_eval_using_user_input", "line_number": 17, "full_filename": "/tmp/bearer-scan/unsafe_request.rb",