# Unsanitized user input in 'eval' type function

## Overview

* **Rule ID**: `javascript_lang_eval_user_input`
* **Applicable Languages**: Javascript
* **Weakness ID**: CWE-95

## Description

Allowing user input to directly influence the behavior of `eval` and similar functions like `setTimeout` poses a significant security risk, potentially leading to remote code execution attacks. This vulnerability arises from the dynamic execution of code, which can be maliciously crafted by an attacker.

## Remediation Guidelines

* **Do not** use `eval` or similar code execution functions directly with user input. This approach can make your application vulnerable to attacks.

  ```javascript
  eval(userInput); // unsafe

  ```
* **Do use** static, hardcoded values when working with dynamic code execution methods. This ensures that only predefined operations are performed, reducing the risk of executing malicious code.

  ```javascript
  let myFunc = "(a, b) => a + b";
  if (req.params["single_item"]) {
    myFunc = "(a) => a";
  }

  ```
* **Do consider** using compiled functions instead of dynamically compiling code with user input. This practice allows for safer execution of dynamic operations by predefining the code to be executed.
* **Do enable** JavaScript's strict mode in your code. This mode helps catch common coding mistakes, prevents unsafe actions, and limits features that can make your code more secure.

  ```javascript
  'use strict';
  ```

## References

* [**MDN JavaScript strict mode reference**](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Strict_mode)
* [**CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')**](https://cwe.mitre.org/data/definitions/95.html)
* [**OWASP Top 10: A03:2021 - Injection**](https://owasp.org/Top10/A03_2021-Injection/)

## Configuration

To omit this rule


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sec1.io/user-docs/4-sast/3-javascript/unsanitized-user-input-in-eval-type-function.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.