JavaScript - Avoid use of Function Constructors - Catalog UI Policy scriptTrue

Impact area

Security

Severity

High

Affected element

Catalog UI Policy

Rule number

SN-0358

Impact

In addition to being obtuse from a syntax perspective, function constructors are also dangerous: their execution evaluates the constructor string arguments similar to the way eval works, which could expose your program to random, unintended code which can be both slow and a security risk.

Remediation

Avoid function constructors altogether.

Time to fix

30 min

References

This rule is linked to Common Weakness Enumeration CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection).

Code examples

Noncompliant code

var obj = new Function("return " + data)(); // Noncompliant

Compliant code

var obj = JSON.parse(data);




Last modified on Mar 19, 2021