Should I Use Eval() in Quality Assurance Projects - Metric-Imperial Converter

Should I use eval() to run the calculations or use something else?

No, eval() is not a safe method. It is recommended to NOT be used at all because of security issues.

1 Like

Anytime your dealing with user-inputted data (like from the API you are to build) you could be opening yourself up to a code injection vulnerability where you let an attacker run arbitrary code in your application.

eval is one of the easiest paths to letting this happen because it evaluates code for you. If your taking user-entered values and passing them thru eval at some point, you could open your app up to attacks. It could be somewhat harmless like the attacker turning your server off, or even vastly more malicious like hi-jacking your applications computation resources to mine bitcoin and or spam people.

1 Like

I am not sure why you would think to do this? You do not need to evaluate some user JavaScript, and you are working in a Node.js environment. So, you have access to a number (given by the user), and you want to return some calculation on the number.

The user input will be nothing more than a number and a unit (km, gal, etc.), for valid inputs. So, what do you expect eval to do on this input? I suspect you are overthinking the user stories.

Remember, Nodejs is mostly JavaScript. So, you can perform any mathematical operations you want, as well as leverage Regex to parse user input.

1 Like

Thank You all for responding to my inquiry.
As I continued working on the project, I realized I didn’t have have to use eval since there were no complex calculating algorithms needed to be written.
But, at least, this post confirms that eval shouldn’t be used because it causes vulnerabilities.