== Why is this an issue?

In addition to being obtuse from a syntax perspective, function constructors are also dangerous: their execution evaluates the constructor's string arguments similar to the way ``++eval++`` works, which could expose your program to random, unintended code which can be both slow and a security risk.


In general it is better to avoid it altogether, particularly when used to parse JSON data. You should use ECMAScript 5's built-in JSON functions or a dedicated library.


=== Noncompliant code example

[source,javascript]
----
var obj =  new Function("return " + data)();  // Noncompliant
----


=== Compliant solution

[source,javascript]
----
var obj = JSON.parse(data);
----


=== Exceptions

Function calls where the argument is a string literal (e.g. ``++(Function('return this'))()++``) are ignored. 


== Resources

* OWASP Top 10 2017 Category A1 - Injection


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Review this "Function" call and make sure its arguments are properly validated.


=== Highlighting

* primary: ``++new Function++``


'''
== Comments And Links
(visible only on this page)

=== on 31 Aug 2018, 15:35:45 Nicolas Harraudeau wrote:
Detecting ``++new Function("...")++`` should be added to the Hotspot rule RSPEC-1523

endif::env-github,rspecator-view[]