Unsanitized user input in 'eval' type function

• Rule ID: javascript_lang_eval_user_input
• Languages: javascript
• Source: eval_user_input.yml

Description

Allowing user input to directly influence the behavior of eval and similar functions like setTimeout poses a significant security risk, potentially leading to remote code execution attacks. This vulnerability stems from the dynamic execution of code, which can be maliciously crafted by an attacker.

Remediations

• Do not use eval or similar code execution functions directly with user input. This approach can make your application vulnerable to attacks.

  eval(userInput); // unsafe

• Do use static, hardcoded values when working with dynamic code execution methods. This method ensures that only predefined operations are performed, reducing the risk of executing malicious code.

    let myFunc = "(a, b) => a + b";
    if (req.params["single_item"]) {
      myFunc = "(a) => a";
    }

• Do consider using compiled functions instead of dynamically compiling code with user input. This practice allows for safer execution of dynamic operations by predefining the code to be executed.
• Do enable JavaScript's strict mode in your code. This mode helps to catch common coding bloopers, prevents unsafe actions, and limits certain features that can make your code more secure.

  "use strict";

References

• MDN JavaScript strict mode reference

Associated CWE

• CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_eval_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_eval_user_input