Improper Control of Generation of Code (‘Code Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
The application uses user-supplied input (such as cookies, parameters, or request environment values) with Ruby reflection methods like constantize or const_get. This lets attackers control which classes or modules are loaded or executed at runtime, creating a serious security risk.
Impact#
If exploited, an attacker could execute arbitrary code or load unauthorized classes on the server, potentially leading to a full server compromise, data theft, or further attacks. This vulnerability can allow remote code execution, putting the entire application and its data at risk.