Prevent Dynamic Eval

How many times before have you heard eval is evil?

Have you been told before to avoid using eval in your code? To avoid doing so because it’s a security risk?

Well, for a while now, Node.js has a had a built-in command-line flag that supported this security advice and allowed you to disable eval and Function constructor globally.

Consider the following code:

const routeMiddleware = (req, res) => {
  const queryObject = url.parse(req.url, true).query;
  let result =
    'Please provide a valid math expression in the "expr" query parameter.';

  if (queryObject.expr) {
      result = eval(queryObject.expr);
  }

    res.end(result);
}

In this code, the eval function is used to evaluate the expr query parameter. This is a classic example of a code injection vulnerability. An attacker could provide a malicious expression in the expr query parameter and execute arbitrary code on the server.

How to Prevent Dynamic Eval

To prevent the use of eval and Function constructor globally, you can use the --disallow-code-generation-from-strings command-line flag when starting your Node.js application.

$ node --disallow-code-generation-from-strings app.js

This flag, as many others, is not a security silver bullet. For example, you can still render dynamic code evaluation in a running Node.js application using the core vm module. Here is an example:

const vm = require('node:vm');

const code = 'console.log("Hello, World!")';
vm.runInThisContext(code);