Use of eval function in Sencha Ext Js
Static scans of applications developed with Ext JS framework often report a “high severity” warning on the use of eval function when using 3rd party vulnerability analysis tools (e.g., Veracode, CheckMarx). The reported flaws point to the use of eval() or globalEval() in the Ext JS codebase. The tools typically flag such calls since a malicious user can plague the input data to the function causing unintended behavior. Ext JS versions flagged: 4.x, 5.x, 6.x, 7.x
Applications developed with Ext JS framework using the eval functionality are free of reported security flaws (and can be classified as false positives) as long as developers are careful about sanitizing input data being rendered on client and server side—an important JavaScript secure coding practice to mitigate against potential attacks.
Details
Web applications using JavaScript can have their code modified by attackers by using web browser’s developer tools to inject malicious inputs or dangerous code into trusted applications. These situations compromise the security of the application, causing unintended behavior for users. This type of vulnerability is called cross-site scripting (XSS). Hackers can also utilize a user’s browser to run harmful code on other sites, referred to as cross-site request forgery (CSRF) attacks.
To protect against such scenarios (intentional or accidental), it is important for web applications to always sanitize data that is returned from user inputs or from the database/web service before it reaches the browser and rendered to the frontend. This can be done by encoding dangerous characters on the data returned. This technique validates that potentially harmful data will not affect other users when rendered or evaluated on their browsers preventing potential CSRF or XSS threats.