Q
Detector Library
Ruby detectors (21/21)
SQL InjectionDivide by ZeroSensitive HTTP ActionInsufficient Protected CredentialsSensitive Information LeakUntrusted DeserializationLog InjectionXML External EntityPath InjectionHttp to File AccessCode InjectionOS Command InjectionResource leakCross Site Scripting (XSS)Untrusted OpenImproper Input ValidationStack Trace ExposureImproper Certificate Validationsend_file InjectionUnsafe File PermissionsTainted Format
Code Injection Critical
User input is used to run an eval command. This leads to possibility for injections and unintended code execution which may result in exposure of sensitive data or system control.
Detector ID
ruby/code-injection@v1.0
Category
Common Weakness Enumeration (CWE) 
Noncompliant example
1def code_injection_noncompliant()
2 code = params[:code]
3 # Noncompliant: User input is not sanitized.
4 @result = User.send(code)
5endCompliant example
1def code_injection_compliant()
2 method = params[:method] == 1 ? :method_a : :method_b
3 # Compliant: User input is not passed in User.send().
4 @result = User.send(method, *args)
5end