JavaScript methods like setTimeout(), setInterval(), or execScript() can accept a string of code as their first argument. This code will be executed at runtime, opening a vector for potential attacks.
It is generally considered a bad practice to execute code at runtime. This rule considers these methods as implied evaluations when their parameter is a piece of code.
setTimeout();setTimeout;setTimeout=foo;window.setTimeout;window.setTimeout=foo;window['setTimeout'];window['setTimeout']=foo;global.setTimeout;global.setTimeout=foo;global['setTimeout'];global['setTimeout']=foo;globalThis['setTimeout']=foo;window[`SetTimeOut`]('foo',100);global[`SetTimeOut`]('foo',100);global[`setTimeout${foo}`]('foo',100);global[`setTimeout${foo}`]('foo',100);globalThis[`setTimeout${foo}`]('foo',100);// normal usage
setTimeout(function(){x=1;},100);setInterval(function(){x=1;},100)execScript(function(){x=1;},100)window.setTimeout(function(){x=1;},100);window.setInterval(function(){x=1;},100);window.execScript(function(){x=1;},100);window.setTimeout(foo,100);window.setInterval(foo,100);window.execScript(foo,100);global.setTimeout(function(){x=1;},100);global.setInterval(function(){x=1;},100);global.execScript(function(){x=1;},100);global.setTimeout(foo,100);global.setInterval(foo,100);global.execScript(foo,100);globalThis.setTimeout(foo,100);// only checks on top-level statements or window.*
foo.setTimeout('hi')// identifiers are fine
setTimeout(foo,10)setInterval(1,10)execScript(2)// as are function expressions
setTimeout(function(){},10)// setInterval
foo.setInterval('hi')setInterval(foo,10)setInterval(function(){},10)// execScript
foo.execScript('hi')execScript(foo)execScript(function(){})// a binary plus on non-strings doesn't guarantee a string
// setTimeout(foo + bar, 10)
// doesn't check anything but the first argument
setTimeout(foobar,'buzz')setTimeout(foobar,foo+'bar')// only checks immediate subtrees of the argument
setTimeout(function(){return'foobar';},10)// https://github.com/eslint/eslint/issues/7821
setTimeoutFooBar('Foo Bar')foo.window.setTimeout('foo',100);foo.global.setTimeout('foo',100);// var window; window.setTimeout('foo', 100);
// var global; global.setTimeout('foo', 100);
// function foo(window) { window.setTimeout('foo', 100); }
// function foo(global) { global.setTimeout('foo', 100); }
foo('',window.setTimeout);foo('',global.setTimeout);
Seamless integrations. Try Datadog Code Security
Datadog Code Security
Try this rule and analyze your code with Datadog Code Security
How to use this rule
1
2
rulesets:- javascript-best-practices # Rules to enforce JavaScript best practices.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Security scans to your CI pipelines