Eval Injection

eval(), new Function(), dynamic code execution

criticalSecurityeval-injection

Why this matters

eval() and new Function() execute arbitrary code. If any part of the string comes from user input, an attacker can run any code on your server.

✗ Bad

app.post("/calculate", (req, res) => {
  const { expression } = req.body;
  const result = eval(expression);
  res.json({ result });
});

✓ Good

import { evaluate } from "mathjs";

app.post("/calculate", (req, res) => {
  const { expression } = req.body;
  const result = evaluate(expression);
  res.json({ result });
});

How to fix

Never use eval() or new Function() with any data that could come from users. Use a safe parser (mathjs for math, JSON.parse for JSON) instead.

All rules