Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Description

The application uses the `eval` function or `Function()` constructor with user-supplied input, which could lead to arbitrary code execution and potentially result in a full system compromise in Node applications or Cross-site Scripting (XSS) in web applications.

Examples

Insecure Code

eval(userInput);

Secure Code

const obj = {key1: 'value1', key2: 'value2'}; const key = getUserInput(); const value = (obj.hasOwnProperty(key))? obj[key] : '';

Remediation

Remove all calls to `eval`, `Function()`, `setTimeout()`, and `setInterval()` methods with user-supplied input and consider alternative methods for executing the necessary business logic, such as using property accessors to dynamically access values.

Rule Details

Field	Value
ID	CODE-0195
Category	Injection
Severity	HIGH
CWE	CWE-95
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	EASY
Tags	eval, Function, setTimeout, setInterval, XSS
OWASP	A1:2017-Injection, A03:2021-Injection

---