I’m currently working on a project, and we’ve identified a security flaw reported by Veracode with CWE ID 95, which corresponds to Eval Injection. The flaw was detected in our FileAPI.js script,specifically around the area where dynamic code execution or eval is used.
Problem: The static analysis scan flagged our FileAPI.js v2.0.7 file for potential code injection vulnerabilities around line 439.
parseJSON: function (str){
var json;
if( window.JSON && JSON.parse ){
json = JSON.parse(str);
}
else {
json = (new Function('return ('+str.replace(/([rn])/g, '\$1')+');'))();
}
return json;
}
What I’ve Tried:
parseJSON: function (str){
var json;
if( window.JSON && JSON.parse ){
json = JSON.parse(str);
}
else {
console.error("window.JSON && JSON.parse is not available");
}
return json;
}
Any advice or recommendations on how to handle this issue effectively would be greatly appreciated!
Thanks in advance!