Windsurf security

Windsurf Generated Code Using eval() or Function Constructor

Windsurf's Cascade assistant generated JavaScript or TypeScript code that uses eval(), new Function(), or setTimeout/setInterval with string arguments to dynamically execute code. These patterns create severe code injection vulnerabilities that allow attackers to run arbitrary code in your application.

This typically happens when Cascade generates code to parse user input, build dynamic queries, process configuration files, or create flexible template systems. The generated code works correctly but introduces a critical attack surface.

You might discover this during a security audit, when a linter flags eval usage, or when a code review catches the pattern. If deployed to production, any user-controlled input reaching these eval calls could be exploited.

Error Messages You Might See

EvalError: Refused to evaluate a string as JavaScript Content Security Policy directive: script-src 'self' does not allow 'unsafe-eval' ESLint: eval can be harmful (no-eval) TypeError: eval is not a function in strict mode
EvalError: Refused to evaluate a string as JavaScriptContent Security Policy directive: script-src 'self' does not allow 'unsafe-eval'ESLint: eval can be harmful (no-eval)TypeError: eval is not a function in strict mode

Common Causes

  • Dynamic JSON parsing with eval — Cascade used eval() to parse JSON instead of JSON.parse(), often when handling API responses with complex structures
  • String-based computed properties — Generated code uses eval to dynamically access nested object properties instead of bracket notation or lodash.get
  • Template string execution — Cascade built a template engine using new Function() to interpolate variables into strings
  • Dynamic import construction — Code constructs module import paths using eval rather than dynamic import() expressions
  • Math expression evaluation — A calculator or formula feature uses eval() to compute user-entered expressions

How to Fix It

  1. Search your codebase for eval patterns — Run grep -rn 'eval\|new Function\|setTimeout.*"\|setInterval.*"' src/ to find all instances
  2. Replace eval(JSON) with JSON.parse() — Every eval() call parsing JSON can be safely replaced with JSON.parse() wrapped in try-catch
  3. Use bracket notation for dynamic properties — Replace eval('obj.' + path) with a safe property accessor function that splits the path and walks the object
  4. Install a math expression parser — Replace eval() for math with a safe library like mathjs or expr-eval that only allows mathematical operations
  5. Add ESLint no-eval rule — Add 'no-eval': 'error' and 'no-new-func': 'error' to your ESLint config to prevent future occurrences
  6. Implement Content-Security-Policy — Add a CSP header with script-src that excludes 'unsafe-eval' to block eval at the browser level

Real developers can help you.

Krishna Sai Kuncha Krishna Sai Kuncha Experienced Professional Full stack Developer with 8+ years of experience across react, python, js, ts, golang and react-native. Developed inhouse websearch tooling for AI before websearch was solved : ) MFox MFox Full-stack professional senior engineer (15+years). Extensive experience in software development, qa, and IP networking. Victor Denisov Victor Denisov Developer Sage Fulcher Sage Fulcher Hey I'm Sage! Im a Boston area software engineer who grew up in South Florida. Ive worked at a ton of cool places like a telehealth kidney care startup that took part in a billion dollar merger (Cricket health/Interwell health), a boutique design agency where I got to work on a ton of exciting startups including a photography education app, a collegiate Esports league and more (Philosophie), a data analytics as a service startup in Cambridge (MA) as well as at Phillips and MIT Lincoln Lab where I designed and developed novel network security visualizations and analytics. I've been writing code and furiously devoted to using computers to make people’s lives easier for about 17 years. My degree is in making computers make pretty lights and sounds. Outside of work I love hip hop, the Celtics, professional wrestling, magic the gathering, photography, drumming, and guitars (both making and playing them) Matthew Jordan Matthew Jordan I've been working at a large software company named Kainos for 2 years, and mainly specialise in Platform Engineering. I regularly enjoy working on software products outside of work, and I'm a huge fan of game development using Unity. I personally enjoy Python & C# in my spare time, but I also specialise in multiple different platform-related technologies from my day job. Basel Issmail Basel Issmail ’m a Senior Full-Stack Developer and Tech Lead with experience designing and building scalable web platforms. I work across the full development lifecycle, from translating business requirements into technical architecture to delivering reliable production systems. My work focuses on modern web technologies, including TypeScript, Angular, Node.js, and cloud-based architectures. I enjoy solving complex technical problems and helping teams turn product ideas and prototypes into working platforms that can grow and scale. In addition to development, I often collaborate closely with product managers, business analysts, designers, and QA teams to ensure that solutions align with both technical and business goals. I enjoy working with startups and product teams where I can contribute both as a hands-on engineer and as a technical partner in designing and delivering impactful software. Dor Yaloz Dor Yaloz SW engineer with 6+ years of experience, I worked with React/Node/Python did projects with React+Capacitor.js for ios Supabase expert Pratik Pratik SWE with 15+ years of experience building and maintaining web apps and extensive BE infrastructure Omar Faruk Omar Faruk As a Product Engineer at Klasio, I contributed to end-to-end product development, focusing on scalability, performance, and user experience. My work spanned building and refining core features, developing dynamic website templates, integrating secure and reliable payment gateways, and optimizing the overall system architecture. I played a key role in creating a scalable and maintainable platform to support educators and learners globally. I'm enthusiastic about embracing new challenges and making meaningful contributions. Matthew Butler Matthew Butler Systems Development Engineer @ Amazon Web Services

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help

Frequently Asked Questions

Why is eval() dangerous even if it works correctly?

eval() executes any string as code. If an attacker can influence the string (through URL parameters, form inputs, database values), they can run arbitrary JavaScript — stealing cookies, accessing APIs, or modifying your page.

Is JSON.parse() always a safe replacement for eval()?

For parsing JSON data, yes. JSON.parse() only parses valid JSON and cannot execute code. Wrap it in try-catch to handle malformed input gracefully.

Related Windsurf Issues

Windsurf Committed API Keys and Secrets to Git Repository

security

Windsurf Generated API Routes Without Auth Middleware

security

Can't fix it yourself?
Real developers can help.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help