CWE-95
Description
This rule detects cases where user-supplied input is passed through a pipe chain and ultimately evaluated by R's eval() function. When untrusted data reaches eval(), an attacker can craft malicious strings that get executed as arbitrary R code within the application's runtime environment.
This presents a critical security risk because eval() executes any valid R expression, allowing attackers to read or modify files, exfiltrate sensitive data, execute system commands, or completely compromise the system.
Exploitability (AI-assessed): Non-Exploitable
The eval() call uses bquote() with a .() substitution operator, which safely interpolates the y2UnitValue variable into the expression before evaluation. y2UnitValue is extracted from an internal metaData structure (not user input), and bquote() prevents arbitrary code injection by only substituting the specified variable. This is a safe pattern for constructing ggplot2 aesthetic mappings and does not represent an exploitable code injection vulnerability.
Remediation (if hardening anyway)
Avoid eval() on constructed expressions where practical. Prefer non-evaluating ggplot2 mechanisms (e.g. aes(.data[[col]]) / tidy-eval) over building expressions for eval(). If eval() is required, keep substituting only known internal values via bquote(.()) — never raw strings derived from external input.
CWE-95
Description
This rule detects cases where user-supplied input is passed through a pipe chain and ultimately evaluated by R's
eval()function. When untrusted data reacheseval(), an attacker can craft malicious strings that get executed as arbitrary R code within the application's runtime environment.This presents a critical security risk because
eval()executes any valid R expression, allowing attackers to read or modify files, exfiltrate sensitive data, execute system commands, or completely compromise the system.Exploitability (AI-assessed): Non-Exploitable
The
eval()call usesbquote()with a.()substitution operator, which safely interpolates they2UnitValuevariable into the expression before evaluation.y2UnitValueis extracted from an internalmetaDatastructure (not user input), andbquote()prevents arbitrary code injection by only substituting the specified variable. This is a safe pattern for constructing ggplot2 aesthetic mappings and does not represent an exploitable code injection vulnerability.Remediation (if hardening anyway)
Avoid
eval()on constructed expressions where practical. Prefer non-evaluating ggplot2 mechanisms (e.g.aes(.data[[col]])/ tidy-eval) over building expressions foreval(). Ifeval()is required, keep substituting only known internal values viabquote(.())— never raw strings derived from external input.