# Code Injection via eval() and Function constructor

- ID: javascript-code-injection
- Severity: CRITICAL
- CWE: Code Injection (CWE-94)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify

## Description

Detects user input flowing to code execution functions like eval() or Function constructor.

## Detection Message

Dangerous function usage detected: {sink}
Input from {source} allows an attacker to execute arbitrary code
This can lead to Remote Code Execution (RCE) if user input is not properly validated.

## Remediation

Use JSON.parse for data or predefined function maps instead of eval().

```javascript
const data = JSON.parse(userInput);
// Or use a function map
const ops = { add: (a,b) => a+b };
ops[action]?.(x, y);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-94/code-injection

## Documentation

[object Object]

## Related Rules

- **Code Injection via os/exec** [CRITICAL]: 
- **LLM Insecure Output Handling** [HIGH]: 
- **Server-Side Template Injection** [CRITICAL]: 
- **LLM Insecure Output Handling** [HIGH]: 
- **Code Injection via eval/exec** [CRITICAL]: