1 min read

NO_EVAL

Prevent unsafe usage of eval() in your application.
Table of Contents

Conformance is available on Enterprise plans

JavaScript's eval() function is potentially dangerous, is often misused, and might cause security issues. Using eval() on untrusted code can open an application up to several different injection attacks.

This rule will also catch eval-like function usage (or implied eval), such as passing a string as the first argument to setTimeout.

This is especially dangerous when working with data from external sources.

const dontDoThis = req.body;
setTimeout(dontDoThis, 1000);

For more information on why you should never use evaluation, see the MDN docs.

The lines below (and variations of those) will all be caught by this rule.

eval('() => console.log("DROP TABLE")');
 
setTimeout('() => console.log("DROP TABLE")', 1000);
 
window.setInterval('() => console.log("DROP TABLE")', 1000);
 
new Function('() => console.log("DROP TABLE")');

Conformance rules are not type-aware, but will follow variable references within the current module (or file).

import { importedVar } from 'foo';
 
// No error reported, as this rule doesn't have access to the value.
setTimeout(importedVar, 100);
 
const localVar = 'bar';
 
// An error will be reported, as the variable was declared in this file.
setTimeout(localVar, 100);

Avoid usage of this type of evaluation entirely in your application. Instead, you should write the same functionality as raw code (not within a string).

setTimeout(() => {
  console.log('Safe usage');
});
Last updated on June 20, 2024