Detected the use of an
eval()-like method JS-0330
Bug risk
a year ago
—
2 years old
Implied eval. Do not use the Function constructor to create functions
150 })]
151 });
152
153 const workerLambda = new Function(this, 'WorkerFunction', {154 functionName: `${props.name}-worker-${props.version}`,155 handler: 'main',156 runtime: Runtime.GO_1_X,157 memorySize: 1024,158 timeout: Duration.minutes(15),159 tracing: Tracing.ACTIVE,160 code: Code.fromAsset(`./../worker/dist`),161 environment: {162 SCHEDULER_TABLE_NAME: schedulerTable.tableName163 }164 });165
166 workerLambda.addEventSource(new DynamoEventSource(schedulerTable, {
167 startingPosition: StartingPosition.LATESTImplied eval. Do not use the Function constructor to create functions
127 autoDeploy: true
128 });
129
130 const collectorLambda = new Function(this, 'CollectorFunction', {131 functionName: `${props.name}-collector-${props.version}`,132 handler: 'main',133 runtime: Runtime.GO_1_X,134 memorySize: 256,135 timeout: Duration.minutes(15),136 tracing: Tracing.ACTIVE,137 code: Code.fromAsset(`./../collector/dist`),138 environment: {139 SCHEDULER_TABLE_NAME: schedulerTable.tableName140 }141 });142
143 schedulerTable.grantReadWriteData(collectorLambda);
144Implied eval. Do not use the Function constructor to create functions
78 }
79 });
80
81 const graphqlLambda = new Function(this, 'GraphQLFunction', { 82 functionName: `${props.name}-graphql-${props.version}`, 83 handler: 'main', 84 runtime: Runtime.GO_1_X, 85 memorySize: 512, 86 timeout: Duration.seconds(30), 87 tracing: Tracing.ACTIVE, 88 code: Code.fromAsset(`./../graphql/dist`), 89 environment: { 90 SCHEDULER_TABLE_NAME: schedulerTable.tableName 91 } 92 }); 93
94 schedulerTable.grantReadWriteData(graphqlLambda);
95
Description
Executing JavaScript from an arbitrary string can greatly compromise your application's security.
It is possible to achieve eval-like behaviour from incorrect use of the following functions:
setTimeout(), setInterval(), setImmediate() and execScript() (Internet Explorer only).
All of them are capable of accepting a string as their first argument and then interpreting it as JavaScript code in the global scope.
This leaves your application vulnerable to several security threats.
setTimeout('alert("Hi!");', 100);
Using the Function constructor also has similar behavior, wherein it interprets a string as JavaScript code:
const fn = new Function('a', 'b', 'return a + b');
Bad Practice
setTimeout('alert("Hi!");', 100);
// or:
execScript('alert("Hi!")');
// or:
window.setInterval('foo = bar', 10);
// or:
const callback = new Function('err', 'res', 'store(res.data);');
Recommended
setTimeout(function () {
alert('Hi!');
}, 100);
execScript(function () {
alert('Hi!');
});
const callback = (err, res) => {
store(res.data);
}