Dangerous use of eval with user input detected

• Rule ID: javascript_express_eval_user_input
• Languages: javascript
• Source: eval_user_input.yml

Description

Using eval (and similar code execution methods such as setTimeout) with user input is dangerous and can lead to remote code execution.

Remediation

❌ As a general rule, avoid using eval.

❌ Avoid using code execution methods with unsanitized user input.

Instead, it might be possible to use dynamic hardcoded values:

  app.post("/:id", (req, res) => {
    let myFunc = "(a, b) => a + b"
    if req.params["single_item"] {
      myFunc = "(a) => a"
    }

    setTimeout(myFunc);
  };

or pass user input to a compiled function, instead of compiling it with user input.

  app.post("/:id", (req, res) => {
    let myFunc = "(a, b) => a + b"
    let compiledFunction = vm.compileFunction(myFunc);
    compiledFunction(req.params["pageCount"], req.params["appendixPageCount"])
  };

✅ Use JavaScript's strict mode as best practice and to minimize the reach of code execution methods

  "use strict"

  app.post("/:id", (req, res) => {
    ...
  })

Resources

• MDN JavaScript strict mode reference

Associated CWE

• CWE-94: Improper Control of Generation of Code ('Code Injection')
• CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

OWASP Top 10

• A03:2021 - Injection