CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

BuilderIO / partytown

Relocate resource intensive third-party scripts off of the main thread and into a web worker. 🎉

https://partytown.builder.io

MIT License

13.04k stars 433 forks source link

CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') #279

Open RezaRahmati opened 2 years ago

RezaRahmati commented 2 years ago

Veracode is reporting two very high severity CWE-95 issue on the lib, in partytwon-ww.atomic.js line 686 and partytown-ww.sw.js line 678 (lib is directly used in gatsby)

The reference to the issue https://cwe.mitre.org/data/definitions/95.html

graysonhicks commented 1 year ago

Seeing the same thing on a site:

I believe it may be a false positive since that function is calling scriptContent which should always be controlled by the user and not vulnerable to injection, but I could definitely be wrong!