Unsanitized user input in 'eval' type function

Overview

• Rule ID: java_lang_eval_using_user_input

• Applicable Languages: Java

• Weakness ID: CWE-95

Description

Using 'eval' or similar functions with unsanitized user input poses a significant security risk. This can result in command injection attacks, enabling attackers to execute arbitrary code within your application.

Remediation Guidelines

• Avoid using eval or similar functions with user-supplied data, as this can make your application vulnerable to severe security risks.

• Always validate and sanitize all user input before incorporating it into your code, ensuring inputs comply with a strict set of rules.

• Opt for safer alternatives to eval for dynamic code execution needs, using functions that do not run user-supplied data as code.

References

• OWASP Code injection explained

• CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

• OWASP Top 10: A03:2021 - Injection

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL