| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
These functions can lead to code injection if the data inside them is user-controlled. Don’t use the input directly or validate the data properly before passing it to these functions.
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Using Ruby’s eval or related methods with input that can be influenced by users allows attackers to execute arbitrary code in your application. Avoid passing user data to eval or similar functions.
If exploited, an attacker could run malicious code on your server, potentially gaining access to sensitive data, modifying application behavior, or taking full control of the system. This can lead to data breaches, service disruption, and severe compromise of application integrity.
| Property | |
|---|---|
| Language | |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Checks for unsafe use of Object#send, try, send, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
User-controlled input is being passed directly to Open3 pipeline methods without proper validation or sanitization. This allows attackers to inject and execute arbitrary commands on the server.
If exploited, an attacker could run malicious code on your server, potentially gaining unauthorized access, stealing data, or compromising the entire system. This can lead to data breaches, loss of service, and significant organizational risk.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Using the ‘syscall’ method in Ruby is unsafe because it allows direct system call execution, which can lead to serious security risks and is not portable across platforms. Safer alternatives like the Fiddle library should be used instead.
If exploited, attackers could execute arbitrary system commands, potentially gaining unauthorized access, running malicious code, or compromising the entire server. This can lead to data breaches, service disruption, or full control over the affected application.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
The code uses the ‘open’ function with a dynamically constructed command, which may include untrusted input. This can allow attackers to inject and execute arbitrary commands if user data is passed in without proper validation.
If exploited, an attacker could execute arbitrary system commands on the server, potentially leading to data theft, data loss, or a complete system compromise. This could allow unauthorized access, modification, or destruction of critical application or system resources.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Using the :marshal or :hybrid cookie serializer allows cookies to be deserialized with Ruby’s Marshal format, which is unsafe. Attackers who can tamper with cookies may exploit this to run malicious code on your server.
If exploited, an attacker could achieve remote code execution on your server by crafting a malicious cookie. This could lead to full system compromise, data theft, or further attacks against your users and infrastructure.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
The code executes shell commands using dynamic values inside backticks in Ruby. If user input is included without proper validation, it could allow attackers to inject and run arbitrary commands.
An attacker exploiting this could execute any command on the server, potentially gaining unauthorized access, stealing data, deleting files, or compromising the entire system. This can lead to data breaches, service outages, or full system takeover.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Detected non-static command inside $EXEC. Audit the input to ‘$EXEC’. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
The code passes user-controlled input—such as values from cookies, parameters, or request environment—directly to Ruby reflection methods like tap, method, or to_proc. This allows attackers to influence how methods are called or executed, making the application vulnerable to code injection.