rspec/rules/S3523/javascript/rule.adoc

In addition to being obtuse from a syntax perspective, function constructors are also dangerous: their execution evaluates the constructor's string arguments similar to the way ``++eval++`` works, which could expose your program to random, unintended code which can be both slow and a security risk.


In general it is better to avoid it altogether, particularly when used to parse JSON data. You should use ECMAScript 5's built-in JSON functions or a dedicated library.


== Noncompliant Code Example

----
var obj =  new Function("return " + data)();  // Noncompliant
----


== Compliant Solution

----
var obj = JSON.parse(data);
----


== Exceptions

Function calls where the argument is a string literal (e.g. ``++(Function('return this'))()++``) are ignored. 


== See

* OWASP Top 10 2017 Category A1 - Injection


ifdef::rspecator-view[]
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::rspecator-view[]
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			In addition to being obtuse from a syntax perspective, function constructors are also dangerous: their execution evaluates the constructor's string arguments similar to the way ``++eval++`` works, which could expose your program to random, unintended code which can be both slow and a security risk.


			`In general it is better to avoid it altogether, particularly when used to parse JSON data. You should use ECMAScript 5's built-in JSON functions or a dedicated library.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Noncompliant Code Example`

			`----`
			`var obj = new Function("return " + data)(); // Noncompliant`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Compliant Solution`

			`----`
			`var obj = JSON.parse(data);`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Exceptions`

			Function calls where the argument is a string literal (e.g. ``++(Function('return this'))()++``) are ignored.

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== See`

			`* OWASP Top 10 2017 Category A1 - Injection`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
			`ifdef::rspecator-view[]`
			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
			`endif::rspecator-view[]`