javascript.browser.security.eval-detected.eval-detected
semgrep
Author
4,575
Download Count*
License
Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
Run Locally
Run in CI
Defintion
rules:
- id: eval-detected
message: Detected the use of eval(). eval() can be dangerous if used to evaluate
dynamic content. If this content can be input from outside the program,
this may be a code injection vulnerability. Ensure evaluated content is
not definable by external sources.
metadata:
cwe:
- "CWE-95: Improper Neutralization of Directives in Dynamically
Evaluated Code ('Eval Injection')"
owasp:
- A03:2021 - Injection
asvs:
section: V5 Validation, Sanitization and Encoding
control_id: 5.2.4 Dynamic Code Execution Features
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing
version: "4"
category: security
technology:
- browser
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
references:
- https://owasp.org/Top10/A03_2021-Injection
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
languages:
- javascript
- typescript
severity: WARNING
patterns:
- pattern-not: eval("...")
- pattern: eval(...)
Examples
eval-detected.js
/**
* Only report `eval` when we provide it with non-constant parameters.
*/
/**
* Negative matches
*/
// ok:eval-detected
eval('var x = "static strings are okay";');
// ok:eval-detected
const constVar = "function staticStrings() { return 'static strings are okay';}";
eval(constVar);
// ok - const within another const
eval(`${constVar}`);
// ok - concatenating with another const okay
const secondConstVar = 'this is a const variable';
eval(constVar + secondConstVar);
/**
* Positive Matches
*/
let dynamic = window.prompt() // arbitrary user input
// ruleid:eval-detected
eval(dynamic + 'possibly malicious code');
// ruleid:eval-detected
eval(`${dynamic} possibly malicious code`);
// ruleid:eval-detected
eval(dynamic.concat(''));
function evalSomething(something) {
// ruleid:eval-detected
eval(something);
}
Short Link: https://sg.run/7ope