javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression
Community Favorite
semgrepAuthor
33,600
Download Count*
License
Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.
Run Locally
Run in CI
Defintion
rules:
- id: detect-eval-with-expression
message: Detected use of dynamic execution of JavaScript which may come from
user-input, which can lead to Cross-Site-Scripting (XSS). Where possible
avoid including user-input in functions which dynamically execute
user-input.
metadata:
cwe:
- "CWE-95: Improper Neutralization of Directives in Dynamically
Evaluated Code ('Eval Injection')"
owasp:
- A03:2021 - Injection
source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-eval-with-expression.js
references:
- https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!
category: security
technology:
- javascript
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
languages:
- javascript
- typescript
severity: WARNING
mode: taint
pattern-sources:
- patterns:
- pattern-either:
- pattern-inside: >
$PROP = new URLSearchParams($WINDOW. ...
.location.search).get('...')
...
- pattern-inside: |
$PROP = new URLSearchParams(location.search).get('...')
...
- pattern-inside: >
$PROP = new URLSearchParams($WINDOW. ...
.location.hash.substring(1)).get('...')
...
- pattern-inside: >
$PROP = new
URLSearchParams(location.hash.substring(1)).get('...')
...
- focus-metavariable: $PROP
- patterns:
- pattern-either:
- pattern-inside: |
$PROPS = new URLSearchParams($WINDOW. ... .location.search)
...
- pattern-inside: |
$PROPS = new URLSearchParams(location.search)
...
- pattern-inside: |
$PROPS = new
URLSearchParams($WINDOW. ... .location.hash.substring(1))
...
- pattern-inside: |
$PROPS = new URLSearchParams(location.hash.substring(1))
...
- pattern: $PROPS.get('...')
- focus-metavariable: $PROPS
- patterns:
- pattern-either:
- pattern: location.href
- pattern: location.hash
- pattern: location.search
- pattern: $WINDOW. ... .location.href
- pattern: $WINDOW. ... .location.hash
- pattern: $WINDOW. ... .location.search
pattern-sinks:
- patterns:
- pattern-either:
- pattern: eval(<... $SINK ...>)
- pattern: window.eval(<... $SINK ...>)
- pattern: new Function(<... $SINK ...>)
- pattern: new Function(<... $SINK ...>)(...)
- pattern: setTimeout(<... $SINK ...>,...)
- pattern: setInterval(<... $SINK ...>,...)
- focus-metavariable: $SINK
pattern-sanitizers:
- patterns:
- pattern-either:
- pattern: location.href = $FUNC(...)
- pattern: location.hash = $FUNC(...)
- pattern: location.search = $FUNC(...)
- pattern: $WINDOW. ... .location.href = $FUNC(...)
- pattern: $WINDOW. ... .location.hash = $FUNC(...)
- pattern: $WINDOW. ... .location.search = $FUNC(...)
Examples
detect-eval-with-expression.js
// ok:detect-eval-with-expression
eval('alert')
// ok:detect-eval-with-expression
window.eval('alert')
// ruleid:detect-eval-with-expression
window.eval(`alert('${location.href}')`)
let funcName = new URLSearchParams(window.location.search).get('a')
// ruleid:detect-eval-with-expression
var x = new Function(`return ${funcName}(a,b)`)
Short Link: https://sg.run/6nwK