Plugin: node-securityRules
detect-eval-with-expression
ESLint rule documentation for detect-eval-with-expression
---
title: detect-eval-with-expression
description: Detects eval(variable) which can allow an attacker to run arbitrary code inside your process
tags: ['security', 'node']
category: security
severity: critical
cwe: CWE-95
owasp: "A03:2021"
autofix: false
---
> **Keywords:** eval, code injection, CWE-95, security, ESLint rule, remote code execution, RCE, arbitrary code execution, Function constructor, auto-fix, LLM-optimized, code security
> **CWE:** [CWE-95](https://cwe.mitre.org/data/definitions/95.html)
> **OWASP Mobile:** [OWASP Mobile Top 10](https://owasp.org/www-project-mobile-top-10/)
Detects eval(variable) which can allow an attacker to run arbitrary code inside your process
Detects `eval(variable)` which can allow an attacker to run arbitrary code inside your process. This rule is part of [`eslint-plugin-node-security`](https://www.npmjs.com/package/eslint-plugin-node-security) and provides LLM-optimized error messages with fix suggestions.
**šØ Security rule** | **š” Provides LLM-optimized guidance** | **ā ļø Set to error in `recommended`**
## Quick Summary
| Aspect | Details |
| ----------------- | ------------------------------------------------------------------------- |
| **CWE Reference** | [CWE-95](https://cwe.mitre.org/data/definitions/95.html) (Code Injection) |
| **Severity** | Critical (security vulnerability) |
| **Auto-Fix** | ā ļø Suggests fixes (manual application) |
| **Category** | Security |
| **ESLint MCP** | ā
Optimized for ESLint MCP integration |
| **Best For** | All applications, especially those handling user input |
## Vulnerability and Risk
**Vulnerability:** The use of `eval()` or similar functions (like `setTimeout`, `setInterval`, `new Function`) with dynamic arguments allows for the execution of arbitrary code derived from strings.
**Risk:** If the string passed to `eval()` contains user-controlled input, an attacker can execute malicious JavaScript code within the context of the application. This can lead to data theft, session hijacking, or server-side remote code execution (RCE).
## Rule Details
This rule detects dangerous use of `eval()` and `Function()` constructor with dynamic expressions that can lead to remote code execution (RCE) vulnerabilities.
```mermaid
%%{init: {
'theme': 'base',
'themeVariables': {
'primaryColor': '#f8fafc',
'primaryTextColor': '#1e293b',
'primaryBorderColor': '#334155',
'lineColor': '#475569',
'c0': '#f8fafc',
'c1': '#f1f5f9',
'c2': '#e2e8f0',
'c3': '#cbd5e1'
}
}}%%
flowchart TD
A["š Detect eval() Call"] --> B{Contains Dynamic Expression?}
B -->|Yes| C[š Analyze Pattern]
B -->|No| D[ā
Safe - Skip]
C --> E{Recognized Pattern?}
E -->|JSON| F[š” Suggest JSON.parse]
E -->|Math| G[š” Suggest Math functions]
E -->|Template| H[š” Suggest Template literals]
E -->|Object| I[š” Suggest Map/Object validation]
E -->|Unknown| J[š” Suggest removal]
F --> K[šØ Report with LLM guidance]
G --> K
H --> K
I --> K
J --> K
```
## Error Message Format
The rule provides **LLM-optimized error messages** (Compact 2-line format) with actionable security guidance:
```text
š CWE-95 OWASP:A05 CVSS:9.8 | Eval Injection detected | CRITICAL [SOC2,PCI-DSS,ISO27001]
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A05_2021/
```
### Message Components
| Component | Purpose | Example |
| :------------------------ | :--------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Risk Standards** | Security benchmarks | [CWE-95](https://cwe.mitre.org/data/definitions/95.html) [OWASP:A05](https://owasp.org/Top10/A05_2021-Injection/) [CVSS:9.8](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3AN%2FAC%3AL%2FPR%3AN%2FUI%3AN%2FS%3AU%2FC%3AH%2FI%3AH%2FA%3AH) |
| **Issue Description** | Specific vulnerability | `Eval Injection detected` |
| **Severity & Compliance** | Impact assessment | `CRITICAL [SOC2,PCI-DSS,ISO27001]` |
| **Fix Instruction** | Actionable remediation | `Follow the remediation steps below` |
| **Technical Truth** | Official reference | [OWASP Top 10](https://owasp.org/Top10/A05_2021-Injection/) |
## Configuration
| Option | Type | Default | Description |
| ------------------------- | ---------- | ------- | ------------------------------------------ |
| `allowLiteralStrings` | `boolean` | `false` | Allow eval with literal strings |
| `additionalEvalFunctions` | `string[]` | `[]` | Additional functions to treat as eval-like |
## Examples
### ā Incorrect
```typescript
// Dynamic eval - CRITICAL risk
const result = eval(userInput);
// Function constructor - HIGH risk
const func = new Function('param', userCode);
// Template evaluation - HIGH risk
const output = eval(`Hello ${userName}!`);
// Object property access - MEDIUM risk
const value = eval(`obj.${property}`);
// Math operations - MEDIUM risk
const calc = eval(`${num1} ${operator} ${num2}`);
```
### ā
Correct
```typescript
// JSON parsing
const data = JSON.parse(userInput);
// Template literals (safe)
const greeting = `Hello ${userName}!`;
// Whitelisted object access
const ALLOWED_PROPS = ['name', 'age', 'email'];
if (ALLOWED_PROPS.includes(property)) {
const value = obj[property];
}
// Math with validation
const result = calculate(num1, operator, num2);
// Map for dynamic storage
const config = new Map();
config.set(userKey, value);
```
## Pattern Recognition
The rule automatically detects common eval patterns and provides targeted fixes:
### JSON Parsing Pattern
```
ā eval('{"key": "' + value + '"}')
ā
JSON.parse('{"key": "' + value + '"}')
```
### Object Access Pattern
```
ā eval('obj.' + property)
ā
const ALLOWED = ['name', 'age']; if (ALLOWED.includes(property)) obj[property]
```
### Template Pattern
```
ā eval('Hello ' + name + '!')
ā
`Hello ${name}!`
```
### Math Operations Pattern
```
ā eval(num1 + ' + ' + num2)
ā
const mathOps = { '+': (a, b) => a + b }; mathOps[op](num1, num2)
```
## Security Impact
| Vulnerability | CWE | OWASP | CVSS | Impact |
| ------------------- | --- | -------- | ------------ | -------------------------- |
| Code Injection | 95 | A03:2021 | 9.8 Critical | Complete server compromise |
| Command Injection | 78 | A03:2021 | 9.8 Critical | System command execution |
| Prototype Pollution | 915 | A01:2021 | 8.1 High | Object manipulation |
### Why This Matters
| Issue | Impact | Solution |
| ---------------------- | ----------------------------------- | ------------------------------------------------------------ |
| š **Remote Code Ex.** | Full server/client takeover | Remove `eval()` entirely; use `JSON.parse` or object logic |
| šµļø **Data Injection** | Manipulated business logic | Validate input against a strict whitelist of allowed values |
| š **Compliance** | Failure to prevent script injection | Implement Content Security Policy (CSP) and static templates |
## Migration Guide
### Phase 1: Discovery
```javascript
// Enable rule with warnings first
{
rules: {
'node-security/detect-eval-with-expression': 'warn'
}
}
```
### Phase 2: Pattern Replacement
```javascript
// Replace common patterns
eval(`obj.${prop}`) ā obj[prop] with validation
eval(jsonString) ā JSON.parse(jsonString)
eval(mathExpr) ā Safe math functions
```
### Phase 3: Enforcement
```javascript
// Strict enforcement
{
rules: {
'node-security/detect-eval-with-expression': 'error'
}
}
```
## Comparison with Alternatives
| Feature | detect-eval-with-expression | eslint-plugin-security | eslint-plugin-sonarjs |
| ---------------------------- | --------------------------- | ---------------------- | --------------------- |
| **Code Injection Detection** | ā
Yes | ā ļø Limited | ā ļø Limited |
| **CWE Reference** | ā
CWE-95 included | ā ļø Limited | ā ļø Limited |
| **LLM-Optimized** | ā
Yes | ā No | ā No |
| **ESLint MCP** | ā
Optimized | ā No | ā No |
| **Fix Suggestions** | ā
Detailed | ā ļø Basic | ā ļø Basic |
## Related Rules
- [`detect-child-process`](./detect-child-process.md) - Prevents command injection
- [`detect-non-literal-fs-filename`](./detect-non-literal-fs-filename.md) - Prevents path traversal
- [`detect-object-injection`](./detect-object-injection.md) - Prevents prototype pollution
- [`detect-non-literal-regexp`](./detect-non-literal-regexp.md) - Prevents ReDoS attacks
## Known False Negatives
The following patterns are **not detected** due to static analysis limitations:
### Aliased Functions
**Why**: Aliased dangerous functions not traced.
```typescript
// ā NOT DETECTED - Aliased function
const execute = eval;
execute(userInput);
```
**Mitigation**: Never alias dangerous functions.
### Dynamic Invocation
**Why**: Dynamic method calls not analyzed.
```typescript
// ā NOT DETECTED - Dynamic call
window['eval'](userInput);
```
**Mitigation**: Avoid dynamic method access.
### Wrapper Functions
**Why**: Wrappers not recognized.
```typescript
// ā NOT DETECTED - Wrapper
myEval(userInput); // Uses eval internally
```
**Mitigation**: Apply rule to wrapper implementations.
## Further Reading
- **[OWASP Code Injection Prevention](https://owasp.org/www-community/attacks/Code_Injection)** - Code injection attack guide
- **[Node.js Security Best Practices](https://nodejs.org/en/docs/guides/security/)** - Node.js security guidelines
- **[CWE-95: Code Injection](https://cwe.mitre.org/data/definitions/95.html)** - Official CWE entry
- **[ESLint MCP Setup](https://eslint.org/docs/latest/use/mcp)** - Enable AI assistant integration