Executing code dynamically is security sensitive. It has led in the past to the following vulnerabilities:
The eval function is a way to run arbitrary code at run-time. Dynamically evaluating code is slow and a potential security issue when
the arguments haven't been properly validated.
Any code which is dynamically evaluated in your process will have the same permissions as the rest of your code. Thus it is very dangerous to do so with code coming from an untrusted source. Injected Code can either run on the server or in the client (exemple: XSS attack).
This rule marks for review each occurence of dynamic code execution.
var value = eval('obj.' + propName); // Noncompliant
var value = obj[propName];
Calling reflection methods with a hard-coded type name, method name or field name will not raise an issue.