Resolve vulnerability: Improper neutralization of directives in dynamically evaluated code ('Eval Injection')

AI GENERATED PATCH

The suggested code changes were generated by GitLab Duo Vulnerability resolution, an AI feature. Before you apply the code changes, carefully review and test them, to ensure that they solve the vulnerability, don't harm the functional behaviour of your application or introduce new vulnerabilities.

The large language model that generated the suggested code changes was only provided with the affected lines of code, and the vulnerability in that code. It is not aware of any functionality outside of this context.

Description:

The application was found calling the eval function with a non-literal variable. If the variable comes from user-supplied input, an adversary could attempt to execute arbitrary JavaScript code. This could lead to a full system compromise in Node applications or Cross-site Scripting (XSS) in web applications.

To remediate this issue, remove all calls to eval and consider alternative methods for executing the necessary business logic. There is almost no safe method of calling eval with user-supplied input. Instead, consider alternative methods such as using property accessors to dynamically access values.

Example using property accessors to dynamically access an object's property:

// Define an object
const obj = {key1: 'value1', key2: 'value2'};
// Get key dynamically from user input
const key = getUserInput();
// Check if the key exists in our object and return it, or a default empty string
const value = (obj.hasOwnProperty(key)) ? obj[key] : '';
// Work with the value

For more information on why not to use eval, and alternatives see:

• https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!

• Severity: medium
• Confidence: unknown
• Location: routes/userProfile.ts:36

Identifiers:

• eslint.detect-eval-with-expression
• A1:2017 - Injection
• CWE-95
• ESLint rule ID/detect-eval-with-expression