R-
R Security
R security practices for Shiny apps, package auditing, and safe data handling
Details
Language / Topic
RCategory
Security
Rules
balanced
- Never use `eval(parse(text = user_input))` — it executes arbitrary R code and is equivalent to remote code execution.
- Use `Sys.getenv("SECRET_KEY")` to read secrets at runtime — never hardcode credentials or API keys in R source files.
- Validate and sanitize all user-supplied inputs in Shiny apps before passing to reactive expressions or database queries.
- Use `oysteR::audit_installed_packages()` or `pak::pkg_security_check()` to scan installed CRAN packages for known vulnerabilities.
- In Shiny apps, use `shiny::req()` and `shiny::validate()` to guard reactive expressions from invalid or missing user inputs.
- Use `DBI::dbQuoteIdentifier()` and parameterized queries (`DBI::dbGetQuery(conn, query, params = list(...))`) — never interpolate user input into SQL strings.
- Store `.Rdata` and `.Rds` files with sensitive data outside the project root and outside version control.