1

Web frameworks that inadequately sanitise inputs can be prone to SQL injection.

Are R processes vulnerable to 'R injection' in the same way? That is, can someone (or some API) provide inputs to R functions (especially those that can read from the web, like read.csv(), jsonlite::fromJSON()) that cause code to be executed?

I already know that code injection is possible in languages other than SQL, although I haven't discovered any examples in R.

I see some examples of SQL injection in shiny, but note I am only interested in learning about possible R injections (not SQL injections).

In case it's relevant, the actual use case is an R function that reads JSON from an external API via jsonlite::fromJSON() - I wish to ensure that it is not possible for any JSON data (valid or malformed) to cause remote code execution within the R function. The function doesn't do anything with SQL hence why I am not so interested in SQL injection.

stevec
  • 15,490
  • 6
  • 67
  • 110
  • 1
    If you don't parse and evaluate arbitrary user input (or use functions that do so), you don't have to worry. That's one of the reasons why some contributors to the R tag constantly fight the good fight against use of `eval(parse())` (although there are other, often more important, reasons). – Roland Jul 29 '20 at 11:36

0 Answers0