Dangerous use of eval with user input detected
- Rule ID: javascript_lang_eval_user_input
- Languages: javascript
- Source: eval_user_input.yml
Description
Using eval
(and similar code execution methods such as setTimeout
) with user input is dangerous and can lead to remote code execution.
Remediation
❌ As a general rule, avoid using eval
.
❌ Avoid using code execution methods with unsanitized user input.
Instead, it might be possible to use dynamic hardcoded values:
app.post("/:id", (req, res) => {
let myFunc = "(a, b) => a + b"
if req.params["single_item"] {
myFunc = "(a) => a"
}
setTimeout(myFunc);
};
or pass user input to a compiled function, instead of compiling it with user input.
app.post("/:id", (req, res) => {
let myFunc = "(a, b) => a + b"
let compiledFunction = vm.compileFunction(myFunc);
compiledFunction(req.params["pageCount"], req.params["appendixPageCount"])
};
✅ Use JavaScript's strict mode as best practice and to minimize the reach of code execution methods
"use strict"
app.post("/:id", (req, res) => {
...
})
Resources
Associated CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=javascript_lang_eval_user_input
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=javascript_lang_eval_user_input
Ready to take the next step? Learn more about Bearer Cloud.