scala.lang.security.audit.scalajs-eval.scalajs-eval

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

eval() function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use eval(). Do not use eval(). Alternatively: Ensure evaluated content is not definable by external sources. If it’s not possible, strip everything except alphanumeric characters from an input provided for the command string and arguments.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: scalajs-eval
    mode: taint
    pattern-sources:
      - patterns:
          - pattern: $PARAM
          - pattern-either:
              - pattern-inside: |
                  def $CTRL(..., $PARAM: $TYPE, ...) = {
                    ...
                  }
              - pattern-inside: |
                  def $CTRL(..., $PARAM: $TYPE, ...) = $A {
                    ...
                  }
              - pattern-inside: |
                  def $CTRL(..., $PARAM: $TYPE, ...) = $A(...) {
                    ...
                  }
    pattern-sinks:
      - patterns:
          - pattern: $JS.eval(...)
          - pattern-inside: |
              import scala.scalajs.$X
              ...
    message: "`eval()` function evaluates JavaScript code represented as a string.
      Executing JavaScript from a string is an enormous security risk. It is far
      too easy for a bad actor to run arbitrary code when you use `eval()`. Do
      not use eval(). Alternatively: Ensure evaluated content is not definable
      by external sources. If it’s not possible, strip everything except
      alphanumeric characters from an input provided for the command string and
      arguments."
    metadata:
      references:
        - https://www.scala-js.org/doc/
      cwe:
        - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
      owasp:
        - A03:2021 - Injection
      category: security
      technology:
        - scala
        - scala-js
      confidence: LOW
      cwe2022-top25: true
      subcategory:
        - vuln
      likelihood: LOW
      impact: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Code Injection
    languages:
      - scala
    severity: WARNING

Examples

scalajs-eval.scala

package controllers

import scala.scalajs.js

object Smth {
  def call1(code: String) = {
    // ruleid: scalajs-eval
    js.eval(s"console.log($code)")
    // ok: scalajs-eval
    js.eval("FooBar()")
    true
  }
}

object FooBar {
  def call2(code: String) = {
    // ruleid: scalajs-eval
    js.eval("console.log(" + code +")")
    // ok: scalajs-eval
    js.eval("FooBar()")
    true
  }
}