ast/eval-user-input
Dynamic eval / new Function called with user-controlled string
What it detects
eval() or `new Function(...)` was called with an argument that interpolates or concatenates a value sourced from req.body, req.query, req.params, req.headers, ctx.request, or `userInput`. The user controls JavaScript that the server then executes — arbitrary code execution. Refactor to parse the input with a structured schema (JSON.parse with validation, or a real expression parser) and act on it via a dispatch map.
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.