Insecure Use of eval()

Why is this important?

Node.js, like any other programming language, has dangerous functions. If these functions are not used properly, it can have a catastrophic impact on your app. The eval() function can allow attackers to get full access to your production environment.

Check out this video for a high-level explanation:

OS Command Injection

Read below to find out how to fix this issue in your code.

Fixing Insecure Use of eval()

Option A: Replace eval() with another function

  1. Go through the issues that GuardRails identified in the PR.
  2. Locate user input within the eval() function.
  3. Replace eval() with safer alternatives to achieve the same outcome. For example, parse JSON with JSON.parse(). Another example is shown below:

    var preTax = eval(req.body.preTax);
    

    with

    var preTax = parseInt(req.body.preTax);
    
  4. Test it and ensure the functionality works as expected

  5. Ship it 🚢 and relax 🌴

Option B: Validate input with Joi

  1. Install Joi.
  2. Go through the issues that GuardRails identified in the PR.
  3. Replace the code that looks like:

    var preTax = eval(req.body.preTax);
    

    with:

    const Joi = require("joi");
    
    const tax_schema = Joi.object().keys({
    preTax: Joi.number().precision(2);
    });
    Joi.validate({ preTax: req.body.preTax }, tax_schema, function(error, val) {
    if (error == null) {
      var preTax = eval(req.body.preTax);
      //do stuff
    } else {
      //catch validation error
    }
    });
    
  4. Test it

  5. Ship it 🚢 and relax 🌴

More information: