mcp-server-semgrep/semgrep-rules/javascript/aws-lambda/security/tainted-eval.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: tainted-eval
  message: >-
    The `eval()` function evaluates JavaScript code represented as a string.
    Executing JavaScript from a string is an enormous security risk.
    It is far too easy for a bad actor to run arbitrary code when you use `eval()`.
    Ensure evaluated content is not definable by external sources.
  metadata:
    cwe:
    - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
    owasp:
    - A03:2021 - Injection
    category: security
    technology:
    - javascript
    - aws-lambda
    subcategory:
    - vuln
    likelihood: MEDIUM
    impact: HIGH
    confidence: LOW
    references:
    - https://owasp.org/Top10/A03_2021-Injection
  languages:
  - javascript
  - typescript
  severity: WARNING
  mode: taint
  pattern-sources:
  - patterns:
    - pattern: $EVENT
    - pattern-either:
      - pattern-inside: |
          exports.handler = function ($EVENT, ...) {
            ...
          }
      - pattern-inside: |
          function $FUNC ($EVENT, ...) {...}
          ...
          exports.handler = $FUNC
      - pattern-inside: |
          $FUNC = function ($EVENT, ...) {...}
          ...
          exports.handler = $FUNC
  pattern-sinks:
  - patterns:
    - focus-metavariable: $CODE
    - pattern-either:
      - pattern: eval($CODE)
      - pattern: Function(...,$CODE)
      - pattern: new Function(...,$CODE)