I have been trying to solve a vulnerability which says I can’t use eval() in my code.It said to review the arguments in the eval function and make sure they are validated.
I tried to replace it with the new Function () but it still is giving me a vulnerability. Is there any other way to replace eval()?
Attaching the link for code reference
I am very new to coding, so pardon me if I am asking something very simple.
The goal of rule S1523 is to highlight sensitive piece of code that can lead to a code injection vulnerability, it appears that this is not the case when using (react-google-tag-manager) library, thus you can close this issue as safe/false positive.
You can also check this discussion on the react-google-tag-manager GitHub repository related to a possible way to use the library without eval() calls.
The rule S1523 will be deprecated in the future in favor of SonarQube taint analysis engine/injection rule: an issue will be raised only when an user-controlled input is used as an argument of eval()/Function() calls which is a clear proof of a code injection vulnerability.