Web frameworks that inadequately sanitise inputs can be prone to SQL injection.
Are R processes vulnerable to 'R injection' in the same way? That is, can someone (or some API) provide inputs to R functions (especially those that can read from the web, like read.csv()
, jsonlite::fromJSON()
) that cause code to be executed?
I already know that code injection is possible in languages other than SQL, although I haven't discovered any examples in R.
I see some examples of SQL injection in shiny, but note I am only interested in learning about possible R injections (not SQL injections).
In case it's relevant, the actual use case is an R function that reads JSON from an external API via jsonlite::fromJSON()
- I wish to ensure that it is not possible for any JSON data (valid or malformed) to cause remote code execution within the R function. The function doesn't do anything with SQL hence why I am not so interested in SQL injection.