noGlobalEval

Diagnostic Category: lint/security/noGlobalEval

JavaScript (and super languages)

Since: v1.5.0

Note

• This rule is recommended by Biome. A diagnostic error will appear when linting your code.

Sources:

• Same as: no-eval

Description

Disallow the use of global eval().

The eval() function evaluates the passed string as a JavaScript code. The executed code can access and mutate variables in the scope where the function is called.

The use of eval() exposes to security risks and performance issues. If the executed code is somehow affected by a malicious party, then you may end up executing malicious code with the privileges of the caller. Moreover, changing variables in the caller’s scope is expensive in modern JavaScript interpreters.

Examples

Invalid

eval("var a = 0");

code-block.js:1:1 lint/security/noGlobalEval ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ✖ eval() exposes to security risks and performance issues.
  
  > 1 │ eval(“var a = 0”);
      │ ^^^^
    2 │ 
  
  ℹ See the MDN web docs for more details.
  
  ℹ Refactor the code so that it doesn’t need to call eval().
  

(0, globalThis.eval)("var a = 0")

code-block.js:1:5 lint/security/noGlobalEval ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ✖ eval() exposes to security risks and performance issues.
  
  > 1 │ (0, globalThis.eval)(“var a = 0”)
      │     ^^^^^^^^^^^^^^^
    2 │ 
  
  ℹ See the MDN web docs for more details.
  
  ℹ Refactor the code so that it doesn’t need to call eval().
  

f(eval);

code-block.js:1:3 lint/security/noGlobalEval ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ✖ eval() exposes to security risks and performance issues.
  
  > 1 │ f(eval);
      │   ^^^^
    2 │ 
  
  ℹ See the MDN web docs for more details.
  
  ℹ Refactor the code so that it doesn’t need to call eval().
  

const aliasedEval = eval;

code-block.js:1:21 lint/security/noGlobalEval ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ✖ eval() exposes to security risks and performance issues.
  
  > 1 │ const aliasedEval = eval;
      │                     ^^^^
    2 │ 
  
  ℹ See the MDN web docs for more details.
  
  ℹ Refactor the code so that it doesn’t need to call eval().
  

Valid

function f(eval) {
    eval("let a = 0;");
}

The rule is not able to detect cases where the global object is aliased:

let foo = globalThis;
foo.eval("let a = 0;");

How to configure

biome.json

{
  "linter": {
    "rules": {
      "security": {
        "noGlobalEval": "error"
      }
    }
  }
}

Related links

• Disable a rule
• Configure the rule fix
• Rule options