Vulnerability alert on SonarQube

alikhodja · 26 July 2017 09:05

Hi,

We are using SonarQube quality analysis tool. The tool shows vulnerability alert on hands on table plugin file handsontable.full.js . The message is as follows

The eval function is a way to run arbitrary code at run-time. Generally it is considered to be very dangerous because it allows execution of arbitrary code. Its use is thus discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user-provided data into it without properly validating it beforehand.

Is this true that eval function is vulnerable? Is there any alternatives or new updates?

aleksandra_budnik · 26 July 2017 09:05

Hi @alikhodja

we are going to change the following eval() method https://github.com/handsontable/formula-parser/issues/18 but there’s no dead-line for the following issue yet.

Are you using the Formulas plugin in your project?

alikhodja · 26 July 2017 11:21

Hi,
Thanks for the reply, we are not using Formulas Plugin

aleksandra_budnik · 26 July 2017 11:25

Then you can even build a version without it. Here’s a tutorial on how to pick features that you like and create a custom Handsontable package https://handsontable.com/blog/articles/how-to-build-a-custom-version-of-handsontable

alikhodja · 26 July 2017 11:29

Thank you, We will try building without formulas

aleksandra_budnik · 26 July 2017 11:41

You’re welcome. Let me know if you need anything else

aleksandra_budnik · 1 September 2017 10:07