Typescript Eval With Untrusted Input
Description
Detects potentially dangerous uses of eval() functions which can lead to code injection vulnerabilities. The eval() function executes arbitrary strings as code, allowing attackers to inject and execute malicious code if untrusted input reaches eval().
Detection Strategy
• Check for calls to eval() functions in source code
• Look for eval() calls that could receive untrusted external input
• Flag uses of eval() as vulnerable since it can execute arbitrary code
• Report vulnerability when eval() is found in application code
Vulnerable code example
const safeEval = require('notevil');
function processUserInput(userInput: string): void {
// Direct eval of user input allows arbitrary code execution
eval(userInput);
// These are also dangerous - equivalent to eval
(Function(userInput))();...✅ Secure code example
// Define allowed operations in a mapping object
const allowedOperations: Record<string, (...args: any[]) => any> = {
add: (a: number, b: number) => a + b,
multiply: (a: number, b: number) => a * b,
greet: (name: string) => `Hello ${name}`,
// Add other safe operations as needed
};
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.