Javascript Eval With Untrusted Input
Description
Detects usage of JavaScript's eval() function, which can execute arbitrary JavaScript code at runtime. When eval() processes untrusted or user-controlled input, it creates a significant security risk as malicious code could be injected and executed in the application's context.
Detection Strategy
• Identifies calls to JavaScript's eval() function in source code
• Examines the code surrounding eval() calls to determine if the input could be untrusted
• Reports a vulnerability when eval() is called with dynamic or user-controllable input
• Checks both direct eval() calls and indirect uses through aliases or references
• Focuses on JavaScript and other languages that support eval-like functionality
Vulnerable code example
function processUserInput(req) {
const userInput = req.query.input;
eval(userInput); // Vulnerable: Directly evaluates untrusted user input
// Even "safe-looking" eval can be dangerous with user input
eval('console.log("User provided: ' + userInput + '")'); // Vulnerable: String concatenation with user input in eval
}✅ Secure code example
function processUserInput(req) {
// Define whitelist of allowed actions instead of using eval
const allowedActions = {
greet: (name) => `Hello ${String(name)}`,
add: (a, b) => Number(a) + Number(b),
getCurrentTime: () => new Date().toISOString()
};
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.