In addition to being obtuse from a syntax perspective, function constructors
are also dangerous: their execution evaluates the constructor's string
arguments similar to the way eval works, which could expose your program to
random, unintended code which can be both slow and a security risk.
In general it is better to avoid it altogether, particularly when used to
parse JSON data. You should use ECMAScript 5's built-in JSON functions or a
dedicated library.
Noncompliant Code Example
var obj = new Function("return " + data)(); // Noncompliant
Compliant Solution
var obj = JSON.parse(data);
Exceptions
Function calls where the argument is a string literal (e.g. (Function('return this'))()) are ignored.
Recommendation
Review this "Function" call and make sure its arguments are properly validated.
Risk: high
Description
In addition to being obtuse from a syntax perspective, function constructors are also dangerous: their execution evaluates the constructor's string arguments similar to the way
evalworks, which could expose your program to random, unintended code which can be both slow and a security risk.In general it is better to avoid it altogether, particularly when used to parse JSON data. You should use ECMAScript 5's built-in JSON functions or a dedicated library.
Noncompliant Code Example
Compliant Solution
Exceptions
Function calls where the argument is a string literal (e.g.
(Function('return this'))()) are ignored.Recommendation
Review this "Function" call and make sure its arguments are properly validated.
Code
Link : https://github.com/reyesreg/react-todo/blob/89aa7360990ded17a76364355a35df86d7eee9dc/dist/bundle.js#L31199
Author: reyesreg@yahoo.com
Horangi detected this issue on 2019-04-12 10:15:15.713348