跳转到内容

noGlobalEval

Diagnostic Category: lint/security/noGlobalEval

Since: v1.5.0

Sources:

Disallow the use of global eval().

The eval() function evaluates the passed string as a JavaScript code. The executed code can access and mutate variables in the scope where the function is called.

The use of eval() exposes to security risks and performance issues. If the executed code is somehow affected by a malicious party, then you may end up executing malicious code with the privileges of the caller. Moreover, changing variables in the caller’s scope is expensive in modern JavaScript interpreters.

eval("var a = 0");
code-block.js:1:1 lint/security/noGlobalEval ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

eval() exposes to security risks and performance issues.

> 1 │ eval(“var a = 0”);
^^^^
2 │

See the MDN web docs for more details.

Refactor the code so that it doesn’t need to call eval().

(0, globalThis.eval)("var a = 0")
code-block.js:1:5 lint/security/noGlobalEval ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

eval() exposes to security risks and performance issues.

> 1 │ (0, globalThis.eval)(“var a = 0”)
^^^^^^^^^^^^^^^
2 │

See the MDN web docs for more details.

Refactor the code so that it doesn’t need to call eval().

f(eval);
code-block.js:1:3 lint/security/noGlobalEval ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

eval() exposes to security risks and performance issues.

> 1 │ f(eval);
^^^^
2 │

See the MDN web docs for more details.

Refactor the code so that it doesn’t need to call eval().

const aliasedEval = eval;
code-block.js:1:21 lint/security/noGlobalEval ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

eval() exposes to security risks and performance issues.

> 1 │ const aliasedEval = eval;
^^^^
2 │

See the MDN web docs for more details.

Refactor the code so that it doesn’t need to call eval().

function f(eval) {
eval("let a = 0;");
}

The rule is not able to detect cases where the global object is aliased:

let foo = globalThis;
foo.eval("let a = 0;");