mcp-server-semgrep/semgrep-rules/javascript/browser/security/eval-detected.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: eval-detected
  message: >-
    Detected the use of eval(). eval() can be dangerous if used to evaluate
    dynamic content. If this content can be input from outside the program, this
    may be a code injection vulnerability. Ensure evaluated content is not definable
    by external sources.
  metadata:
    cwe:
    - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"
    owasp:
    - A03:2021 - Injection
    asvs:
      section: V5 Validation, Sanitization and Encoding
      control_id: 5.2.4 Dynamic Code Execution Features
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing
      version: '4'
    category: security
    technology:
    - browser
    subcategory:
    - audit
    likelihood: LOW
    impact: MEDIUM
    confidence: LOW
    references:
    - https://owasp.org/Top10/A03_2021-Injection
  languages:
  - javascript
  - typescript
  severity: WARNING
  patterns:
  - pattern-not: eval("...")
  - pattern: eval(...)