Skip to main content

Avoid dynamic code execution

Summary

The system should not use dynamic code execution features such as eval().

Description

Dynamic code execution features, despite the flexibility they provide, should be used carefully and generally avoided. These features often open the door for remote code execution (RCE) and cross-site scripting (XSS) attacks. Therefore, if it is not possible to avoid dynamic code execution, any untrusted input being included (e.g., the one provided by the users) should be properly sanitized.

Supported In

This requirement is verified in following services:

PlanSupported
Machine🔴
Squad🟢
One-Shot🟢

References