detect-eval-with-expression
Detects `eval(variable)` which can allow an attacker to run arbitrary code inside your process. This rule is part of [`eslint-plugin-secure-coding`](https://www
Keywords: eval, code injection, CWE-95, security, ESLint rule, remote code execution, RCE, arbitrary code execution, Function constructor, auto-fix, LLM-optimized, code security
Detects eval(variable) which can allow an attacker to run arbitrary code inside your process. This rule is part of eslint-plugin-secure-coding and provides LLM-optimized error messages with fix suggestions.
🚨 Security rule | 💡 Provides LLM-optimized guidance | ⚠️ Set to error in recommended
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-95 (Code Injection) |
| Severity | Critical (security vulnerability) |
| Auto-Fix | ⚠️ Suggests fixes (manual application) |
| Category | Security |
| ESLint MCP | ✅ Optimized for ESLint MCP integration |
| Best For | All applications, especially those handling user input |
Vulnerability and Risk
Vulnerability: The use of eval() or similar functions (like setTimeout, setInterval, new Function) with dynamic arguments allows for the execution of arbitrary code derived from strings.
Risk: If the string passed to eval() contains user-controlled input, an attacker can execute malicious JavaScript code within the context of the application. This can lead to data theft, session hijacking, or server-side remote code execution (RCE).
Rule Details
This rule detects dangerous use of eval() and Function() constructor with dynamic expressions that can lead to remote code execution (RCE) vulnerabilities.
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-95 OWASP:A05 CVSS:9.8 | Eval Injection detected | CRITICAL [SOC2,PCI-DSS,ISO27001]
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A05_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-95 OWASP:A05 CVSS:9.8 |
| Issue Description | Specific vulnerability | Eval Injection detected |
| Severity & Compliance | Impact assessment | CRITICAL [SOC2,PCI-DSS,ISO27001] |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
Configuration
| Option | Type | Default | Description |
|---|---|---|---|
allowLiteralStrings | boolean | false | Allow eval with literal strings |
additionalEvalFunctions | string[] | [] | Additional functions to treat as eval-like |
Examples
❌ Incorrect
// Dynamic eval - CRITICAL risk
const result = eval(userInput);
// Function constructor - HIGH risk
const func = new Function('param', userCode);
// Template evaluation - HIGH risk
const output = eval(`Hello ${userName}!`);
// Object property access - MEDIUM risk
const value = eval(`obj.${property}`);
// Math operations - MEDIUM risk
const calc = eval(`${num1} ${operator} ${num2}`);✅ Correct
// JSON parsing
const data = JSON.parse(userInput);
// Template literals (safe)
const greeting = `Hello ${userName}!`;
// Whitelisted object access
const ALLOWED_PROPS = ['name', 'age', 'email'];
if (ALLOWED_PROPS.includes(property)) {
const value = obj[property];
}
// Math with validation
const result = calculate(num1, operator, num2);
// Map for dynamic storage
const config = new Map();
config.set(userKey, value);Pattern Recognition
The rule automatically detects common eval patterns and provides targeted fixes:
JSON Parsing Pattern
❌ eval('{"key": "' + value + '"}')
✅ JSON.parse('{"key": "' + value + '"}')Object Access Pattern
❌ eval('obj.' + property)
✅ const ALLOWED = ['name', 'age']; if (ALLOWED.includes(property)) obj[property]Template Pattern
❌ eval('Hello ' + name + '!')
✅ `Hello ${name}!`Math Operations Pattern
❌ eval(num1 + ' + ' + num2)
✅ const mathOps = { '+': (a, b) => a + b }; mathOps[op](num1, num2)Security Impact
| Vulnerability | CWE | OWASP | CVSS | Impact |
|---|---|---|---|---|
| Code Injection | 95 | A03:2021 | 9.8 Critical | Complete server compromise |
| Command Injection | 78 | A03:2021 | 9.8 Critical | System command execution |
| Prototype Pollution | 915 | A01:2021 | 8.1 High | Object manipulation |
Why This Matters
Real-World Exploits
// Attacker can execute arbitrary code
const userInput = 'process.exit()'; // Server shutdown
eval(userInput); // 💥 Server dies
// Prototype pollution via eval
const userInput = "__proto__.toString = () => 'HACKED'";
eval(userInput); // 💥 All objects pollutedPrevention Strategy
- Complete Removal - Remove eval usage entirely
- Safe Alternatives - Use JSON.parse, Map, template literals
- Input Validation - Whitelist allowed patterns
- Sandboxing - Use vm module if absolutely necessary
- Static Analysis - Prefer compile-time evaluation
Migration Guide
Phase 1: Discovery
// Enable rule with warnings first
{
rules: {
'secure-coding/detect-eval-with-expression': 'warn'
}
}Phase 2: Pattern Replacement
// Replace common patterns
eval(`obj.${prop}`) → obj[prop] with validation
eval(jsonString) → JSON.parse(jsonString)
eval(mathExpr) → Safe math functionsPhase 3: Enforcement
// Strict enforcement
{
rules: {
'secure-coding/detect-eval-with-expression': 'error'
}
}Comparison with Alternatives
| Feature | detect-eval-with-expression | eslint-plugin-security | eslint-plugin-sonarjs |
|---|---|---|---|
| Code Injection Detection | ✅ Yes | ⚠️ Limited | ⚠️ Limited |
| CWE Reference | ✅ CWE-95 included | ⚠️ Limited | ⚠️ Limited |
| LLM-Optimized | ✅ Yes | ❌ No | ❌ No |
| ESLint MCP | ✅ Optimized | ❌ No | ❌ No |
| Fix Suggestions | ✅ Detailed | ⚠️ Basic | ⚠️ Basic |
Related Rules
detect-child-process- Prevents command injectiondetect-non-literal-fs-filename- Prevents path traversaldetect-object-injection- Prevents prototype pollutiondetect-non-literal-regexp- Prevents ReDoS attacks
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Aliased Functions
Why: Aliased dangerous functions not traced.
// ❌ NOT DETECTED - Aliased function
const execute = eval;
execute(userInput);Mitigation: Never alias dangerous functions.
Dynamic Invocation
Why: Dynamic method calls not analyzed.
// ❌ NOT DETECTED - Dynamic call
window['eval'](userInput);Mitigation: Avoid dynamic method access.
Wrapper Functions
Why: Wrappers not recognized.
// ❌ NOT DETECTED - Wrapper
myEval(userInput); // Uses eval internallyMitigation: Apply rule to wrapper implementations.
Further Reading
- OWASP Code Injection Prevention - Code injection attack guide
- Node.js Security Best Practices - Node.js security guidelines
- CWE-95: Code Injection - Official CWE entry
- ESLint MCP Setup - Enable AI assistant integration
detect-child-process
Detects instances of `child_process` & non-literal `exec()` calls that may allow command injection. This rule is part of [`eslint-plugin-secure-coding`](https:/
detect-indirect-prompt-injection-vectors
Detect external content (emails, documents, APIs) reaching LLM without validation.