Executing code dynamically is security-sensitive. It has led in the past to the following vulnerabilities:

The eval function is a way to run arbitrary code at run-time. Dynamically evaluating code is slow and a potential security issue when the arguments haven't been properly validated.

Any code which is dynamically evaluated in your process will have the same permissions as the rest of your code. Thus it is very dangerous to do so with code coming from an untrusted source. Injected Code can either run on the server or in the client (exemple: XSS attack).

Note that using the eval function and the Function constructor should in general be avoided altogether.

This rule raises issues on calls to eval and Function constructor. This is for code review only.

Ask Yourself Whether

You are at risk if you answered yes to any of these questions.

Recommended Secure Coding Practices

Regarding the execution of unknown code, the best solution is to not run code provided by an untrusted source. If you really need to do it, run the code in a sandboxed environment. Use jails, firewalls and whatever means your operating system and programming language provide (example: Security Managers in java, iframes and same-origin policy for javascript in a web browser).

Do not try to create a blacklist of dangerous code. It is impossible to cover all attacks that way.

As for the use of reflection, it should be strictly controlled as it can lead to many vulnerabilities. Never let an untrusted source decide what code to run. If you have to do it anyway, create a list of allowed code and choose among this list.

Noncompliant Code Example

let value = eval('obj.' + propName); // Questionable
let func = Function('obj' + propName); // Questionable

Exceptions

This rule will not raise an issue when the argument of the eval or Function is a literal string as it is reasonably safe.

See