rspec/rules/S5334/javascript/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

``++eval++`` and other functions that dynamically execute code should not be used in combination with user-input:

----
let input = req.query.input;
eval(input); // Noncompliant
(Function(input))(); // Noncompliant
(new Function(input))(); // Noncompliant
----

----
const vm = require("vm");

let input = req.query.input;
vm.runInThisContext(input);  // Noncompliant
const context = {};
vm.createContext(context);
vm.runInContext(input, context); // Noncompliant
vm.runInNewContext(input, context); // Noncompliant
vm.compileFunction(input)(); // Noncompliant
(new vm.Script(input)).runInThisContext(); // Noncompliant
----

----
var Module = require('module');

let name = req.query.name;
let input = req.query.input;
var mod = new Module(name, module.parent);
mod._compile(input, name); // Noncompliant
----

In a MongoDB context, https://docs.mongodb.com/manual/faq/fundamentals/#how-does-mongodb-address-sql-or-query-injection[arbitrary Javascript code] can be executed with the ``++$where++`` operator for instance:

----
let username = req.query.username;
query = { $where: `this.username == '${username}'` } // Noncompliant
User.find(query, function (err, users) {
  if (err) {
    // Handle errors
  } else {
    res.render('userlookup', { title: 'User Lookup', users: users });
  }
});
----

== Compliant Solution

If ``++eval++`` is used to parse a JSON string this should be done instead with ``++JSON.parse++``:

----
let obj = JSON.parse(req.query.input); // Compliant
----

In a MongoDB context, don't use ``++$where++`` operator or validate the data:

----
let username = req.query.username;
query = { username: username } // Compliant
User.find(query, function (err, users) {
  if (err) {
    // Handle errors
  } else {
    res.render('userlookup', { title: 'User Lookup', users: users });
  }
});
----

include::../see.adoc[]