NO_EVAL
Prevent unsafe usage of eval() in your application.Conformance is available on Enterprise plans
JavaScript's eval()
function is potentially dangerous, is often misused, and
might cause security issues. Using eval()
on untrusted code can open an
application up to several different injection attacks.
This rule will also catch eval-like function usage (or implied eval), such as
passing a string as the first argument to setTimeout
.
This is especially dangerous when working with data from external sources.
const dontDoThis = req.body;
setTimeout(dontDoThis, 1000);
For more information on why you should never use evaluation, see the MDN docs.
The lines below (and variations of those) will all be caught by this rule.
eval('() => console.log("DROP TABLE")');
setTimeout('() => console.log("DROP TABLE")', 1000);
window.setInterval('() => console.log("DROP TABLE")', 1000);
new Function('() => console.log("DROP TABLE")');
Conformance rules are not type-aware, but will follow variable references within the current module (or file).
import { importedVar } from 'foo';
// No error reported, as this rule doesn't have access to the value.
setTimeout(importedVar, 100);
const localVar = 'bar';
// An error will be reported, as the variable was declared in this file.
setTimeout(localVar, 100);
Avoid usage of this type of evaluation entirely in your application. Instead, you should write the same functionality as raw code (not within a string).
setTimeout(() => {
console.log('Safe usage');
});
Was this helpful?