noGlobalEval

import { Tabs, TabItem } from '@astrojs/starlight/components';

<Tabs> <TabItem label="JavaScript (and super languages)" icon="seti:javascript"> ## Summary - Rule available since: `v1.5.0` - Diagnostic Category: [`lint/security/noGlobalEval`](/reference/diagnostics#diagnostic-category) - This rule is **recommended**, meaning it is enabled by default. - This rule doesn't have a fix. - The default severity of this rule is [**error**](/reference/diagnostics#error). - Sources: - Same as [`no-eval`](https://eslint.org/docs/latest/rules/no-eval)

How to configure

json

{
	"linter": {
		"rules": {
			"security": {
				"noGlobalEval": "error"
			}
		}
	}
}

Description

Disallow the use of global eval().

The eval() function evaluates the passed string as a JavaScript code. The executed code can access and mutate variables in the scope where the function is called.

The use of eval() exposes to security risks and performance issues. If the executed code is somehow affected by a malicious party, then you may end up executing malicious code with the privileges of the caller. Moreover, changing variables in the caller's scope is expensive in modern JavaScript interpreters.

Examples

Invalid

eval("var a = 0");

<pre class="language-text"><code class="language-text">code-block.js:1:1 <a href="https://biomejs.dev/linter/rules/no-global-eval">lint/security/noGlobalEval</a> ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ✖ eval() exposes to security risks and performance issues. > 1 │ eval("var a = 0"); │ ^^^^ 2 │ ℹ See the <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!">MDN web docs</a> for more details. ℹ Refactor the code so that it doesn't need to call eval(). </code></pre>

(0, globalThis.eval)("var a = 0")

<pre class="language-text"><code class="language-text">code-block.js:1:5 <a href="https://biomejs.dev/linter/rules/no-global-eval">lint/security/noGlobalEval</a> ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ✖ eval() exposes to security risks and performance issues. > 1 │ (0, globalThis.eval)("var a = 0") │ ^^^^^^^^^^^^^^^ 2 │ ℹ See the <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!">MDN web docs</a> for more details. ℹ Refactor the code so that it doesn't need to call eval(). </code></pre>

f(eval);

<pre class="language-text"><code class="language-text">code-block.js:1:3 <a href="https://biomejs.dev/linter/rules/no-global-eval">lint/security/noGlobalEval</a> ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ✖ eval() exposes to security risks and performance issues. > 1 │ f(eval); │ ^^^^ 2 │ ℹ See the <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!">MDN web docs</a> for more details. ℹ Refactor the code so that it doesn't need to call eval(). </code></pre>

const aliasedEval = eval;

<pre class="language-text"><code class="language-text">code-block.js:1:21 <a href="https://biomejs.dev/linter/rules/no-global-eval">lint/security/noGlobalEval</a> ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ✖ eval() exposes to security risks and performance issues. > 1 │ const aliasedEval = eval; │ ^^^^ 2 │ ℹ See the <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!">MDN web docs</a> for more details. ℹ Refactor the code so that it doesn't need to call eval(). </code></pre>

Valid

cjs

function f(eval) {
    eval("let a = 0;");
}

The rule is not able to detect cases where the global object is aliased:

let foo = globalThis;
foo.eval("let a = 0;");

</TabItem> </Tabs>

How to configure

Description

Examples

Invalid

Valid

Related links