Is there a way to replace Eval without using the new function?

I have been trying to solve a vulnerability which says I can’t use eval() in my code.It said to review the arguments in the eval function and make sure they are validated.
I tried to replace it with the new Function () but it still is giving me a vulnerability. Is there any other way to replace eval()?


Attaching the link for code reference

I am very new to coding, so pardon me if I am asking something very simple.

Hi,

Welcome to the community!

What language are we talking about?

 
Ann

Hello @Ritik_Bansal

welcome to the community!

The goal of rule S1523 is to highlight sensitive piece of code that can lead to a code injection vulnerability, it appears that this is not the case when using (react-google-tag-manager) library, thus you can close this issue as safe/false positive.

You can also check this discussion on the react-google-tag-manager GitHub repository related to a possible way to use the library without eval() calls.

The rule S1523 will be deprecated in the future in favor of SonarQube taint analysis engine/injection rule: an issue will be raised only when an user-controlled input is used as an argument of eval()/Function() calls which is a clear proof of a code injection vulnerability.

Eric

1 Like