Product SiteDocumentation Site

2.2. Dangerous methods

Ruby contains number of methods and modules that should be used with caution, since calling them with input potentially controlled by attacker might be abused into arbitrary code execution. These include:
  • Kernel#exec, Kernel#system, backticks and %x{...}
  • Kernel#fork, Kernel#spawn
  • Kernel#load, Kernel#autoload
  • Kernel#require, Kernel#require_relative
  • DL and Fiddle module
  • Object#send, Object#__send__ and Object#public_send
  • BasicObject#instance_eval, BasicObject#instance_exec
  • Module#class_eval, Module#class_exec, Module#module_eval, Module#module_exec
  • Module#alias_method