Dangerous use of eval with user input detected
- Rule ID: javascript_lang_eval_user_input
- Languages: javascript
- Source: eval_user_input.yml
Description
Using eval (and similar code execution methods such as setTimeout) with user input is dangerous and can lead to remote code execution.
Remediation
❌ As a general rule, avoid using eval.
❌ Avoid using code execution methods with unsanitized user input.
Instead, it might be possible to use dynamic hardcoded values:
app.post("/:id", (req, res) => {
let myFunc = "(a, b) => a + b"
if req.params["single_item"] {
myFunc = "(a) => a"
}
setTimeout(myFunc);
};or pass user input to a compiled function, instead of compiling it with user input.
app.post("/:id", (req, res) => {
let myFunc = "(a, b) => a + b"
let compiledFunction = vm.compileFunction(myFunc);
compiledFunction(req.params["pageCount"], req.params["appendixPageCount"])
};✅ Use JavaScript's strict mode as best practice and to minimize the reach of code execution methods
"use strict"
app.post("/:id", (req, res) => {
...
})Resources
Associated CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
OWASP Top 10
Ready to take the next step? Join the Bearer Cloud waitlist.