Unsanitized user input in 'eval' type function

Overview

• Rule ID: javascript_lang_eval_user_input

• Applicable Languages: Javascript

• Weakness ID: CWE-95

Description

Allowing user input to directly influence the behavior of eval and similar functions like setTimeout poses a significant security risk, potentially leading to remote code execution attacks. This vulnerability arises from the dynamic execution of code, which can be maliciously crafted by an attacker.

Remediation Guidelines

• Do not use eval or similar code execution functions directly with user input. This approach can make your application vulnerable to attacks.

  Copy

  eval(userInput); // unsafe
  

• Do use static, hardcoded values when working with dynamic code execution methods. This ensures that only predefined operations are performed, reducing the risk of executing malicious code.

  Copy

  let myFunc = "(a, b) => a + b";
  if (req.params["single_item"]) {
    myFunc = "(a) => a";
  }
  

• Do consider using compiled functions instead of dynamically compiling code with user input. This practice allows for safer execution of dynamic operations by predefining the code to be executed.

• Do enable JavaScript's strict mode in your code. This mode helps catch common coding mistakes, prevents unsafe actions, and limits features that can make your code more secure.

  Copy

  'use strict';

References

• MDN JavaScript strict mode reference

• CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

• OWASP Top 10: A03:2021 - Injection

Configuration

To omit this rule