Skip to content

Injection: Dangerous Dynamic Code Execution in JavaScript

Identifier: js_dangerous_eval

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner ASM Scanner

Description

Dynamic code execution via eval() or Function() with user-controlled input can lead to code injection attacks.

How we test: We statically analyze first-party JavaScript bundles to detect usage of eval(), new Function(), setTimeout/setInterval with string arguments, and similar patterns that execute dynamically constructed code.

References:

Configuration

Example

Example configuration:

---
security_tests:
  js_dangerous_eval:
    issues_count_limit: 10
    skip: false

Reference

issues_count_limit

Type : integer

The maximum number of issues to report. Use 0 to report all issues.

skip

Type : boolean

Skip the test if true.