10 lines
939 B
Plaintext
10 lines
939 B
Plaintext
Executing code dynamically is security-sensitive. It has led in the past to the following vulnerabilities:
|
|
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9807[CVE-2017-9807]
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9802[CVE-2017-9802]
|
|
|
|
Some APIs enable the execution of dynamic code by providing it as strings at runtime. These APIs might be useful in some very specific meta-programming use-cases. However most of the time their use is frowned upon because they also increase the risk of maliciously https://owasp.org/www-community/attacks/Code_Injection[Injected Code]. Such attacks can either run on the server or in the client (example: XSS attack) and have a huge impact on an application's security.
|
|
|
|
|
|
This rule marks for review each occurrence of such dynamic code execution. This rule does not detect code injections. It only highlights the use of APIs which should be used sparingly and very carefully.
|