# Eval Usage
# Detects eval() calls (security risk)
id: no-eval
name: Eval Usage
severity: error
category: security
defect_class: injection
inline_tier: blocking
language: typescript

message: "eval() detected — security risk, never use eval"

description: |
  eval() executes arbitrary code and is a major security vulnerability.
  It allows code injection attacks.
  
  ✅ ALTERNATIVES:
  - JSON.parse() for parsing JSON
  - Function constructor for dynamic functions (still risky)
  - Template literals for string interpolation
  - Proper parsing libraries for complex needs

query: |
  (call_expression
    function: (identifier) @FUNC
    (#eq? @FUNC "eval")
    arguments: (arguments) @ARGS)

metavars:
  - FUNC
  - ARGS

tags:
  - security
  - xss
  - owasp

examples:
  bad: |
    const userCode = "alert('hacked')";
    eval(userCode);  // DON'T DO THIS
  
  good: |
    // Use JSON.parse for JSON
    const data = JSON.parse(jsonString);
    
    // Use template literals
    const message = `Hello, ${name}`;

has_fix: false
