scala.lang.security.audit.scalajs-eval.scalajs-eval

Author
unknown
Download Count*
License
eval()
function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use eval()
. Do not use eval(). Alternatively: Ensure evaluated content is not definable by external sources. If it’s not possible, strip everything except alphanumeric characters from an input provided for the command string and arguments.
Run Locally
Run in CI
Defintion
rules:
- id: scalajs-eval
mode: taint
pattern-sources:
- patterns:
- pattern: $PARAM
- pattern-either:
- pattern-inside: |
def $CTRL(..., $PARAM: $TYPE, ...) = {
...
}
- pattern-inside: |
def $CTRL(..., $PARAM: $TYPE, ...) = $A {
...
}
- pattern-inside: |
def $CTRL(..., $PARAM: $TYPE, ...) = $A(...) {
...
}
pattern-sinks:
- patterns:
- pattern: $JS.eval(...)
- pattern-inside: |
import scala.scalajs.$X
...
message: "`eval()` function evaluates JavaScript code represented as a string.
Executing JavaScript from a string is an enormous security risk. It is far
too easy for a bad actor to run arbitrary code when you use `eval()`. Do
not use eval(). Alternatively: Ensure evaluated content is not definable
by external sources. If it’s not possible, strip everything except
alphanumeric characters from an input provided for the command string and
arguments."
metadata:
references:
- https://www.scala-js.org/doc/
cwe:
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
owasp:
- A03:2021 - Injection
category: security
technology:
- scala
- scala-js
confidence: LOW
cwe2022-top25: true
subcategory:
- vuln
likelihood: LOW
impact: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
languages:
- scala
severity: WARNING
Examples
scalajs-eval.scala
package controllers
import scala.scalajs.js
object Smth {
def call1(code: String) = {
// ruleid: scalajs-eval
js.eval(s"console.log($code)")
// ok: scalajs-eval
js.eval("FooBar()")
true
}
}
object FooBar {
def call2(code: String) = {
// ruleid: scalajs-eval
js.eval("console.log(" + code +")")
// ok: scalajs-eval
js.eval("FooBar()")
true
}
}
Short Link: https://sg.run/R5L2