Executing code dynamically is security sensitive. It has led in the past to the following vulnerabilities:

The eval function is a way to run arbitrary code at run-time. Dynamically evaluating code is slow and a potential security issue when the arguments haven't been properly validated.

Any code which is dynamically evaluated in your process will have the same permissions as the rest of your code. Thus it is very dangerous to do so with code coming from an untrusted source. Injected Code can either run on the server or in the client (exemple: XSS attack).

This rule marks for review each occurence of dynamic code execution.

Noncompliant Code Example

var value = eval('obj.' + propName); // Noncompliant

Compliant Solution

var value = obj[propName];

Exceptions

Calling reflection methods with a hard-coded type name, method name or field name will not raise an issue.

See