User controlled data in eval() or similar functions

Description

User controlled data in eval() or similar functions may result in Server Side Injection or Remote Code Injection. This occurs when user input is not properly sanitized and is executed by the application, allowing an attacker to inject malicious code.

Examples

Insecure Code

javascript

eval(req.query.data);

Secure Code

javascript

const data = req.query.data; const template = Handlebars.compile('template'); const result = template(data);

Remediation

Validate and sanitize all user input before passing it to eval() or similar functions. Consider using a templating engine or a safer alternative to eval().

Rule Details

Field	Value
ID	CODE-0373
Category	Injection
Severity	CRITICAL
CWE	CWE-95
Confidence	HIGH
Impact	HIGH
Likelihood	HIGH
Exploitability	EASY
Tags	eval, injection, server-side
OWASP	A1:2017-Injection, A03:2021-Injection

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

User controlled data in eval() or similar functions

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

User controlled data in eval() or similar functions ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

User controlled data in eval() or similar functions

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details