javascript.aws-lambda.security.tainted-eval.tainted-eval
semgrepAuthor
unknown
Download Count*
License
The eval() function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use eval(). Ensure evaluated content is not definable by external sources.
Run Locally
Run in CI
Defintion
rules:
- id: tainted-eval
message: The `eval()` function evaluates JavaScript code represented as a
string. Executing JavaScript from a string is an enormous security risk.
It is far too easy for a bad actor to run arbitrary code when you use
`eval()`. Ensure evaluated content is not definable by external sources.
metadata:
cwe:
- "CWE-95: Improper Neutralization of Directives in Dynamically
Evaluated Code ('Eval Injection')"
owasp:
- A03:2021 - Injection
category: security
technology:
- javascript
- aws-lambda
subcategory:
- vuln
likelihood: MEDIUM
impact: HIGH
confidence: LOW
references:
- https://owasp.org/Top10/A03_2021-Injection
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
languages:
- javascript
- typescript
severity: WARNING
mode: taint
pattern-sources:
- patterns:
- pattern: $EVENT
- pattern-either:
- pattern-inside: |
exports.handler = function ($EVENT, ...) {
...
}
- pattern-inside: |
function $FUNC ($EVENT, ...) {...}
...
exports.handler = $FUNC
- pattern-inside: |
$FUNC = function ($EVENT, ...) {...}
...
exports.handler = $FUNC
pattern-sinks:
- patterns:
- focus-metavariable: $CODE
- pattern-either:
- pattern: eval($CODE)
- pattern: Function(...,$CODE)
- pattern: new Function(...,$CODE)
Examples
tainted-eval.js
exports.handler = async (event) => {
// ok:tainted-eval
eval('alert')
// ruleid:tainted-eval
eval(event['smth'])
// ruleid:tainted-eval
var x = new Function('a', 'b', `return ${event['func']}(a,b)`)
// ruleid:tainted-eval
var y = Function('a', 'b', event['code'])
}Short Link: https://sg.run/WjY2