node.js - How do I prevent dynamic code loading via eval in nodejs?

Question

Is there any way to prevent the use of eval and friends in nodejs code? It has been used by at least a couple of the npm malicious packages, and there is no reason for me to use it in my current project.

The fact that the unsafe-eval CSP declaration exists implies that it should be possible at the V8 level, but as far as I can tell, node doesn't expose this functionality. (if I had my way, banning eval would be the default...) I know the no-eval eslint rule exists, which is a good start, but I'm looking for something with runtime guarantees that includes node_modules as well.

Answer 1

You can't change how Node.js interpret the code unless you write/change the interpreter yourself. You can use linters like ESlint with the no-eval rule to make sure there is none in your code if it is not required.

eval is not in and of itself evil. It does serve some legit purposes.

It is only unsafe when you use it in an unsafe manner.

It's like a cooking knife. It is safe when you use it properly and use it for what it is made to do. If you try to pick your teeth with it, you can. But it is probably not a good idea.

What you are asking now is like asking how can you not let a knife be sharp because it can potentially cut you.

There are other more important things to worry about.

1. Is your server secure without misconfiguration?
2. Did you actually install the right packages not some malicious ones with similar names waiting for you to make a typo?
3. Did you check the package content before just running npm i?
4. Did you accidentally commit sensitive information to your version control?
5. Is your database secured? Is it accidentally configured to be internet-facing while it should not be?

Just to name a few. There are hundreds perhaps thousands of other points that you should worry about in terms of the overall security of your system.

Side Note: For 0-day vulnerabilities, you can only pray.