javascript.browser.security.eval-detected.eval-detected

profile photo of semgrepsemgrep
Author
4,575
Download Count*
LGPL Commons Clause
License

Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: eval-detected
    message: Detected the use of eval(). eval() can be dangerous if used to evaluate
      dynamic content. If this content can be input from outside the program,
      this may be a code injection vulnerability. Ensure evaluated content is
      not definable by external sources.
    metadata:
      cwe:
        - "CWE-95: Improper Neutralization of Directives in Dynamically
          Evaluated Code ('Eval Injection')"
      owasp:
        - A03:2021 - Injection
      asvs:
        section: V5 Validation, Sanitization and Encoding
        control_id: 5.2.4 Dynamic Code Execution Features
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing
        version: "4"
      category: security
      technology:
        - browser
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Code Injection
    languages:
      - javascript
      - typescript
    severity: WARNING
    patterns:
      - pattern-not: eval("...")
      - pattern: eval(...)

Examples

eval-detected.js

/**
 * Only report `eval` when we provide it with non-constant parameters.
 */

/**
 * Negative matches
 */

// ok:eval-detected
eval('var x = "static strings are okay";');

// ok:eval-detected
const constVar = "function staticStrings() { return 'static strings are okay';}";
eval(constVar);

// ok - const within another const
eval(`${constVar}`);

// ok - concatenating with another const okay
const secondConstVar = 'this is a const variable';
eval(constVar + secondConstVar);

/**
 * Positive Matches
 */

let dynamic = window.prompt() // arbitrary user input

// ruleid:eval-detected
eval(dynamic + 'possibly malicious code');

// ruleid:eval-detected
eval(`${dynamic} possibly malicious code`);

// ruleid:eval-detected
eval(dynamic.concat(''));

function evalSomething(something) {
    // ruleid:eval-detected
    eval(something);
}