Skip to content
unfault

typescript.unsafe_eval

Security Critical

Detects usage of eval() and other dynamic code execution patterns.

Why It Matters

Section titled “Why It Matters”

Using eval:

  • Code injection — Attackers can execute arbitrary code
  • XSS attacks — User input becomes executable
  • CSP violations — Breaks Content Security Policy

Example

Section titled “Example”
// ❌ Before (unsafe eval)
function calculate(expression: string): number {
  return eval(expression); // User controls expression!
}


// Or with Function constructor:
const fn = new Function('x', 'return x * 2');
// ✅ After (safe alternatives)
import { evaluate } from 'mathjs';


function calculate(expression: string): number {
  // Use a safe math parser
  return evaluate(expression);
}


// For dynamic functions, use well-typed alternatives:
const double = (x: number): number => x * 2;

What Unfault Detects

Section titled “What Unfault Detects”
  • Direct eval() calls
  • new Function() constructor
  • setTimeout/setInterval with string args

Auto-Fix

Section titled “Auto-Fix”

Unfault suggests safe alternatives like math parsers or template systems.

Section titled “Related Rules”