In my previous post, I demonstrated how Ruby’s #eval method can be exploited to hijack a Rails application. Of course, if you knew much of anything about Ruby or Rails, then that post was probably underwhelming. It was like warning people not to leave the keys in the ignition and the doors unlocked when parking […]
Hey everybody! Check out how crazy easy it is to write a calculator application in Rails!
class CalculatorController < ApplicationController
@result = eval(params[:expression])
@result = "That's not a valid expression, dummy!"
All I had to do was pass the user’s input into Ruby’s #eval method! Isn’t Rails teh (sic) awesome? Now that you’ve finished dishing out jumping high-fives to everyone in the room, let’s think through the implications of […]