Rails Ev(i|a)l @ April Fools Days

First. Create a evil, oh no, a eval controller.

app/controllers/ruby_eval_controller.rb

1
2
3
4
5
6
7
8
9
Class RubyEvalController < ApplicationController
  def do
    if @result = eval(params[:ruby])
      render :xml => @result
    else
      head :ok
    end
  end
end

Then. Let’s post some evil params.

POST /ruby_eval

1
2
<?xml version="1.0" encoding="UTF-8" ?>
<ruby>User.find_by_intro('I am eval or evil?')</ruby>