browser-security/no-websocket-eval
The rule provides **LLM-optimized error messages** (Compact 2-line format) with actionable security guidance:
🔒 Disallow using eval() or Function() with WebSocket message data
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-95 OWASP:A05 CVSS:9.8 | Eval Injection detected | CRITICAL [SOC2,PCI-DSS,ISO27001]
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A05_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-95 OWASP:A05 CVSS:9.8 |
| Issue Description | Specific vulnerability | Eval Injection detected |
| Severity & Compliance | Impact assessment | CRITICAL [SOC2,PCI-DSS,ISO27001] |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
Rule Details
This rule prevents using eval(), new Function(), or Function() with data received from WebSocket messages. This pattern enables Remote Code Execution (RCE) - one of the most severe security vulnerabilities.
Why is this dangerous?
When you use eval with WebSocket data:
- Attacker-controlled code executes in your application context
- Full access to page data - cookies, localStorage, DOM
- Actions performed as the user - form submissions, API calls
- CVSS 9.8 (Critical) - Maximum severity
Examples
❌ Incorrect
// eval() with event.data - CRITICAL RCE
ws.onmessage = (event) => {
eval(event.data);
};
// new Function() with event.data
ws.onmessage = (event) => {
const fn = new Function(event.data.code);
fn();
};
// Function() constructor
socket.addEventListener('message', (event) => {
const execute = Function(event.data);
execute();
});
// Nested property
ws.onmessage = (event) => {
eval(event.data.script);
};✅ Correct
// Parse as JSON and handle specific actions
ws.onmessage = (event) => {
const data = JSON.parse(event.data);
switch (data.action) {
case 'update':
updateUI(data.payload);
break;
case 'refresh':
location.reload();
break;
default:
console.warn('Unknown action:', data.action);
}
};
// Use a command pattern with allowed actions
const handlers = {
updateUser: (data) => updateUser(data),
showMessage: (data) => showToast(data.message),
navigate: (data) => router.push(data.path),
};
ws.onmessage = (event) => {
const { action, payload } = JSON.parse(event.data);
const handler = handlers[action];
if (handler) {
handler(payload);
}
};Options
{
"browser-security/no-websocket-eval": [
"error",
{
"allowInTests": true
}
]
}| Option | Type | Default | Description |
|---|---|---|---|
allowInTests | boolean | true | Skip checking in test files (_.test.ts, _.spec.ts) |
When Not To Use It
Never disable this rule in production code.
The only acceptable scenario is in development tools or REPLs where code execution is the explicit purpose, and even then, extreme caution is needed.
Related Rules
browser-security/no-eval- General eval() preventionbrowser-security/no-websocket-innerhtml- XSS preventionbrowser-security/require-websocket-wss- Require encrypted connections
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Data Stored in Variable
Why: Event data stored in variables not traced.
// ❌ NOT DETECTED - Data stored first
ws.onmessage = (event) => {
const code = event.data;
setTimeout(() => eval(code), 100);
};Mitigation: Never use eval with external data.
Handler in Separate Function
Why: Handler function internals not analyzed.
// ❌ NOT DETECTED - External handler
ws.onmessage = handleMessage; // May use eval internallyMitigation: Apply rule to handler implementations.
Indirect WebSocket Access
Why: WebSocket passed through may not be recognized.
// ❌ NOT DETECTED - Indirect access
setupHandler(ws, (data) => eval(data.code));Mitigation: Review all WebSocket handler patterns.
OWASP Mapping
| Category | ID |
|---|---|
| OWASP Top 10 2021 | A03:2021 - Injection |
| CWE | CWE-95 |
| CVSS | 9.8 (Critical) |