File .deepsource.toml not found in the default branch of the repository root. Please refer to the docs.
Detected the use of an
eval()-like method JS-0330
Bug risk
Major
a year ago
—
a year old
Implied eval. Consider passing a function
73 }
74 );
75
76 const resolveAfter3Sec = new Promise((resolve) => setTimeout(resolve, 3000)); 77
78 const transferSubscriptionsMutation = useMutation(
79 (post: TransferSub) => Stripe.transferSubscriptions(post),
Description
Executing JavaScript from an arbitrary string can greatly compromise your application's security.
It is possible to achieve eval-like behaviour from incorrect use of the following functions:
setTimeout(), setInterval(), setImmediate() and execScript() (Internet Explorer only).
All of them are capable of accepting a string as their first argument and then interpreting it as JavaScript code in the global scope.
This leaves your application vulnerable to several security threats.
setTimeout('alert("Hi!");', 100);
Using the Function constructor also has similar behavior, wherein it interprets a string as JavaScript code:
const fn = new Function('a', 'b', 'return a + b');
Bad Practice
setTimeout('alert("Hi!");', 100);
// or:
execScript('alert("Hi!")');
// or:
window.setInterval('foo = bar', 10);
// or:
const callback = new Function('err', 'res', 'store(res.data);');
Recommended
setTimeout(function () {
alert('Hi!');
}, 100);
execScript(function () {
alert('Hi!');
});
const callback = (err, res) => {
store(res.data);
}