detect-eval-with-expression

Try in Playground
javascript-security

oscar143

SecurityWarning

0

No tags

No CWE or CVE

(security/detect-eval-with-expression)

Detects eval(variable) which can allow an attacker to run arbitrary code inside your process

What are the security issues with eval in JavaScript?

Ast Rule: function call


detect-eval-with-expression

How to write a rule
function visit(node, filename, code) {
  if (node?.functionName?.value === "eval") {
    if (node.arguments?.values?.length) {
      const codeArg = node.arguments.values[0];

      if (
        codeArg.value.astType === "string" &&
        (
          codeArg.value.value.startsWith(`\"`) &&
          codeArg.value.value.endsWith(`"`) ||
          codeArg.value.value.startsWith(`'`) &&
          codeArg.value.value.endsWith(`'`)
        )
      ) {
        return;
      }

      addError(buildError(
        codeArg.value.start.line,
        codeArg.value.start.col,
        codeArg.value.end.line,
        codeArg.value.end.col,
        `use eval only with string literals`,
        "WARNING",
        "SECURITY",
      ));
    }
  }
}

bad.jsx

Expected test result: has error

eval(myVar);
eval(myFunc());

good.jsx

Expected test result: no error

eval();
eval("console.log(true);");
eval('console.log(true);');
Add comment

Log in to add a comment


    Be the first one to leave a comment!

Codiga Logo
Codiga Hub
  • Rulesets
  • Playground
  • Snippets
  • Cookbooks
Legal
  • Security
  • Privacy Policy
  • Code Privacy
  • Terms of Service
soc-2 icon

We are SOC-2 Compliance Certified

G2 high performer medal

Codiga – All rights reserved 2022.