Codiga has joined Datadog!

Read the Blog·

Interested in our Static Analysis?

Sign up
← All posts
Oscar Salazar Sunday, January 29, 2023

JavaScript eval security best practices



Oscar Salazar, Senior Software Engineer

Oscar is a Software Engineer passionate about frontend development and creative coding, he has worked in several projects involving from video games to rich interactive experiences in different web applications. He loves studying and playing with the newest CSS features to create fantastic art.

See all articles

How can we execute JavaScript code dynamically with eval()

eval() is a JavaScript function that allows you to execute a string as JavaScript code. The function takes a string argument and evaluates it as a JavaScript expression, then returns the result.

It can be useful in certain situations, such as:

  • Dynamic code evaluation: eval() can be used to evaluate code dynamically, meaning that the code is generated and executed at runtime. This can be useful when you need to generate code based on user input or other dynamic factors.

  • Testing and debugging: eval() can be used to test small pieces of code during the development process. This allows developers to quickly test and debug code snippets without having to write them in a separate file.

  • Custom expressions: eval() can be used to evaluate custom expressions that may not be possible with regular JavaScript code. For example, you can use eval() to parse and evaluate mathematical expressions or to parse and execute code stored in a string.

Security risks when eval() is used improperly

JavaScript's eval() function is a powerful tool that can execute code stored as a string. However, it also poses a security risk when used improperly. Here are a few reasons why eval() is considered insecure:

  • Code injection: When eval() is passed untrusted data (such as user input), it can be used to inject malicious code into a program. Attackers can exploit this vulnerability to steal sensitive information, compromise data, or take control of the affected system.

  • Scope pollution: eval() has global scope, meaning that any variables or functions declared within the evaluated code are accessible from anywhere in the program. This can lead to naming collisions and unexpected behavior, as well as making it harder to understand and maintain the code.

  • Performance impact: eval() is significantly slower than other JavaScript operations since it requires the JavaScript engine to parse and executes the string of code at runtime. This can result in slower performance and degraded user experience, especially in large or complex applications.

  • Debugging difficulties: When bugs or errors occur within code executed by eval(), they can be difficult to diagnose and fix due to the dynamic nature of the function. This can make it challenging for developers to find and fix problems in their code.

Prevent eval() security vulnerabilities

While eval() can be a useful tool in certain situations, it's important to use it securely to avoid potential security risks. Here are a few best practices for using eval() securely:

  • Limit scope: Use eval() only within a limited scope, such as within a closure or a local function, to reduce the risk of unintended access to sensitive information.

  • Verify input: If eval() is used with data from an untrusted source (such as user input), make sure to validate and sanitize the input to prevent code injection attacks.

  • Use with statement carefully: The with statement allows you to modify the scope of eval(). Avoid using with in combination with eval(), as it can make it easier for attackers to inject malicious code.

  • Avoid using eval() for large or complex code: eval() is slow and can be difficult to debug, so it's generally recommended to avoid using it for large or complex code.

  • Allow only literals: Instead of calling a function or passing a variable as the code of the eval function use string literals.

  • Consider alternatives: Instead of using eval(), consider using alternatives such as JSON.parse(), Function(), or templating engines. These alternatives provide more secure and efficient ways to dynamically generate and execute code in JavaScript applications.

In summary, eval() can be used securely if you follow best practices such as limiting the scope, verifying input, avoiding the with statement, and considering alternatives. However, it's important to keep in mind that eval() can also be a security risk if used improperly, so it's generally recommended to use it with caution.

Automatically detect insecure eval() in your code base

Codiga provides IDE plugins and integrations with GitHub, GitLab, or Bitbucket to detect insecure eval() function calls. The Codiga static code analysis detects this issue directly in your IDE or code reviews.

In particular, this analysis rule produces a warning each time there is an eval() call in your code with user input or expressions.

Avoid eval(variable) calls

To use this rule consistently, all you need to do is to install the integration in your IDE (for VS Code or JetBrains) or code management system and add a codiga.yml file at the root of your profile with the following content:

  - javascript-security

You can also navigate to your project directory in your terminal and run the following command to get started.

npx @codiga/cli ruleset-add javascript-security

More resources

Are you interested in Datadog Static Analysis?

Sign up