Remote Code Execution: JSON parsing vulnerabilities CVE-2013-0333 and CVE-2013-0269

ruby.checkjsonparsing

Severity

critical

Resource

Remote Code Execution

Language

Ruby

Description

Improper neutralization of directives in dynamically evaluated code ('Eval Injection').

Code Injection vulnerabilities occur when an application dynamically executes code containing untrusted input from users.

Checks for JSON parsing vulnerabilities CVE-2013-0333 and CVE-2013-0269

To mitigate Code Injection vulnerabilities, follow these best practices:

Avoid Dynamic Code Execution: Where possible, avoid using dynamic script execution or reflection with untrusted input.
Input Validation and Sanitization: Assume all input is potentially malicious. Rigorously validate all user inputs to confirm they adhere to expected formats, and sanitize them (a whitelisting approach is recommended) to remove potentially harmful content.
Canonicalization: Decode and canonicalize inputs to a standard internal representation before validation. This helps prevent bypassing input filters through encoding tricks

This detector does not need any configuration.

CWE-95 : Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection').
OWASP Top 10 2021 - A03 : Injection.
OWASP Code Injection explained.