1

I've got a new team member joining us, and while I was looking at his code, I noticed he uses a lot of eval(). I've read a million times that eval() is evil, vulnerable to injection, but can be used for good, and is sometimes the right solution. Unfortunately, everything I've found on the subject is on how to use it correctly when you're writing code, which makes determining if existing code is a security risk difficult to do.

How do I determine if use of eval() is correct or risky?

Here are two examples of uses of eval that look potentially risky to me.

1.

if (sizzleURL) {
    message = {
        type: "GET",
        url: sizzleURL,
        async: false,
        oncomplete: function(result) {
            function define(definition) {
                self.Sizzle = definition()
            }
            define.amd = true;
            eval(result.responseText)
        }
    };
    ajaxService.sendRequest(message)
} else {
    // ect
}

2.

json: (function() {
    if (typeof window.JSON !== "undefined") {
        return {
            serialize: window.JSON.stringify,
            parse: window.JSON.parse
        }
    }
    return {
        serialize: serializeToJSON,
        parse: function(data) {
            return eval("(" + data + ")")
        }
    }
}())

If these are secure uses of eval, or if you cannot tell from this small context, please explain how and where eval injection works.

Goose
  • 4,764
  • 5
  • 45
  • 84
  • http://stackoverflow.com/questions/197769/when-is-javascripts-eval-not-evil – adeneo Mar 02 '15 at 21:13
  • In your first example, there's no way to ensure that an attacker hasn't modified the response via a proxy editor. You want to be 100% sure of the integrity of what you are evaluating here... – wwwmarty Mar 02 '15 at 21:24

0 Answers0