---
title: Avoid Dynamic Code Execution
impact: CRITICAL
impactDescription: prevents Remote Code Execution (RCE) vulnerabilities
tags: security, eval, rce, dynamic-code
---

## Avoid Dynamic Code Execution

Avoid using `eval`, `instance_eval`, `class_eval`, or `send` with untrusted user input, as it can lead to arbitrary code execution.

**Incorrect (unsafe eval):**

```ruby
# Extremely dangerous: RCE vulnerability
eval(params[:code])

# Dangerous: Method calling vulnerability
User.send(params[:method]) # Attacker: ?method=destroy_all
```

**Correct (safe alternatives):**

```ruby
# Use a white-list for dynamic methods
ALLOWED_METHODS = ['profile', 'settings'].freeze
if ALLOWED_METHODS.include?(params[:method])
  user.send(params[:method])
end

# Use JSON parser instead of eval for data
data = JSON.parse(params[:json_string])
```

**Tools:** Brakeman, RuboCop (`Security/Eval`)
---