Windsurf security

Windsurf Generated Code Using eval() or Function Constructor

Windsurf's Cascade assistant generated JavaScript or TypeScript code that uses eval(), new Function(), or setTimeout/setInterval with string arguments to dynamically execute code. These patterns create severe code injection vulnerabilities that allow attackers to run arbitrary code in your application.

This typically happens when Cascade generates code to parse user input, build dynamic queries, process configuration files, or create flexible template systems. The generated code works correctly but introduces a critical attack surface.

You might discover this during a security audit, when a linter flags eval usage, or when a code review catches the pattern. If deployed to production, any user-controlled input reaching these eval calls could be exploited.

Error Messages You Might See

EvalError: Refused to evaluate a string as JavaScript Content Security Policy directive: script-src 'self' does not allow 'unsafe-eval' ESLint: eval can be harmful (no-eval) TypeError: eval is not a function in strict mode
EvalError: Refused to evaluate a string as JavaScriptContent Security Policy directive: script-src 'self' does not allow 'unsafe-eval'ESLint: eval can be harmful (no-eval)TypeError: eval is not a function in strict mode

Common Causes

  • Dynamic JSON parsing with eval — Cascade used eval() to parse JSON instead of JSON.parse(), often when handling API responses with complex structures
  • String-based computed properties — Generated code uses eval to dynamically access nested object properties instead of bracket notation or lodash.get
  • Template string execution — Cascade built a template engine using new Function() to interpolate variables into strings
  • Dynamic import construction — Code constructs module import paths using eval rather than dynamic import() expressions
  • Math expression evaluation — A calculator or formula feature uses eval() to compute user-entered expressions

How to Fix It

  1. Search your codebase for eval patterns — Run grep -rn 'eval\|new Function\|setTimeout.*"\|setInterval.*"' src/ to find all instances
  2. Replace eval(JSON) with JSON.parse() — Every eval() call parsing JSON can be safely replaced with JSON.parse() wrapped in try-catch
  3. Use bracket notation for dynamic properties — Replace eval('obj.' + path) with a safe property accessor function that splits the path and walks the object
  4. Install a math expression parser — Replace eval() for math with a safe library like mathjs or expr-eval that only allows mathematical operations
  5. Add ESLint no-eval rule — Add 'no-eval': 'error' and 'no-new-func': 'error' to your ESLint config to prevent future occurrences
  6. Implement Content-Security-Policy — Add a CSP header with script-src that excludes 'unsafe-eval' to block eval at the browser level

Real developers can help you.

Anthony Akpan Anthony Akpan Developer with 8 years of experience building softwares fro startups Milan Surelia Milan Surelia Milan Surelia is a Mobile App Developer with 5+ years of experience crafting scalable, cross-platform apps at 7Span and Meticha. At 7Span, he engineers feature-rich Flutter apps with smooth performance and modern UI. As the Co-Founder of Meticha, he builds open-source tools and developer-focused products that solve real-world problems. Expertise: 💡 Developing cross-platform apps using Flutter, Dart, and Jetpack Compose for Android, iOS, and Web. 🖋️ Sharing insights through technical writing, blogging, and open-source contributions. 🤝 Collaborating closely with designers, PMs, and developers to build seamless mobile experiences. Notable Achievements: 🎯 Revamped the Vepaar app into Vepaar Store & CRM with a 2x performance boost and smoother UX. 🚀 Launched Compose101 — a Jetpack Compose starter kit to speed up Android development. 🌟 Open source contributions on Github & StackOverflow for Flutter & Dart 🎖️ Worked on improving app performance and user experience with smart solutions. Milan is always happy to connect, work on new ideas, and explore the latest in technology. Antriksh Narang Antriksh Narang 5 years+ Experienced Dev (Specially in Web Development), can help in python, javascript, react, next.js and full stack web dev technologies. zipking zipking I am a technologist and product builder dedicated to creating high-impact solutions at the intersection of AI and specialized markets. Currently, I am focused on PropScan (EstateGuard), an AI-driven SaaS platform tailored for the Japanese real estate industry, and exploring the potential of Archify. As an INFJ-T, I approach development with a "systems-thinking" mindset—balancing technical precision with a deep understanding of user needs. I particularly enjoy the challenge of architecting Vertical AI SaaS and optimizing Small Language Models (SLMs) to solve specific, real-world business problems. Whether I'm in a CTO-level leadership role or hands-on with the code, I thrive on building tools that turn complex data into actionable value. Mehdi Ben Haddou Mehdi Ben Haddou - Founder of Chessigma (1M+ users) & many small projects - ex Founding Engineer @Uplane (YC F25) - ex Software Engineer @Amazon and @Booking.com prajwalfullstack prajwalfullstack Hi Im a full stack developer, a vibe coded MVP to Market ready product, I'm here to help legrab legrab I'll fill this later Richard McSorley Richard McSorley Full-Stack Software Engineer with 8+ years building high-performance applications for enterprise clients. Shipped production systems at Walmart (4,000+ stores), Cigna (20M+ users), and Arkansas Blue Cross. 5 patents in retail/supply chain tech. Currently focused on AI integrations, automation tools, and TypeScript-first architectures. Yovel Cohen Yovel Cohen I got a lot of experience in building Long-horizon AI Agents in production, Backend apps that scale to millions of users and frontend knowledge as well. Caio Rodrigues Caio Rodrigues I'm a full-stack developer focused on building practical and scalable web applications. My main experience is with **React, TypeScript, and modern frontend architectures**, where I prioritize clean code, component reusability, and maintainable project structures. I have strong experience working with **dynamic forms, state management (Redux / React Hook Form), and complex data-driven interfaces**. I enjoy solving real-world problems by turning ideas into reliable software that companies can actually use in their daily operations. Beyond coding, I care about **software quality and architecture**, following best practices for componentization, code organization, and performance optimization. I'm also comfortable working across the stack when needed, integrating APIs, handling business logic, and helping transform prototypes into production-ready systems. My goal is always to deliver solutions that are **simple, efficient, and genuinely useful for the people using them.**

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help

Frequently Asked Questions

Why is eval() dangerous even if it works correctly?

eval() executes any string as code. If an attacker can influence the string (through URL parameters, form inputs, database values), they can run arbitrary JavaScript — stealing cookies, accessing APIs, or modifying your page.

Is JSON.parse() always a safe replacement for eval()?

For parsing JSON data, yes. JSON.parse() only parses valid JSON and cannot execute code. Wrap it in try-catch to handle malformed input gracefully.

Related Windsurf Issues

Windsurf Committed API Keys and Secrets to Git Repository

security

Windsurf Generated API Routes Without Auth Middleware

security

Can't fix it yourself?
Real developers can help.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help