The system should not use dynamic code execution features such as eval().
Dynamic code execution features, despite the flexibility they provide, should be used carefully and generally avoided. These features often open the door for remote code execution (RCE) and cross-site scripting (XSS) attacks. Therefore, if it is not possible to avoid dynamic code execution, any untrusted input being included (e.g. the one provided by the users) should be properly sanitized.
CAPEC-19: Embedding Scripts within Scripts. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The adversary leverages this capability to execute their own script by embedding it within other scripts that the target software is likely to execute. The adversary must have the ability to inject their script into a script that is likely to be executed.
CAPEC-242: Code Injection. An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing.
CAPEC-248: Command Injection. An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended.
CWE-20: Improper Input Validation. The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
CWE-94: Code Injection. The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-95: Eval Injection. The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
OWASP Top 10 A1:2017-Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.14) Verify that the application and firmware components are not susceptible to OS Command Injection by invoking shell command wrappers, scripts, or that security controls prevent OS Command Injection.
OWASP-ASVS v4.0.1 V5.1 Input Validation Requirements.(5.2.4) Verify that the application avoids the use of eval() or other dynamic code execution features. Where there is no alternative, any user input being included must be sanitized or sandboxed before being executed.
OWASP-ASVS v4.0.1 V5.2 Sanitization and Sandboxing Requirements.(5.2.7) Verify that the application sanitizes, disables, or sandboxes user-supplied SVG scriptable content, especially as they relate to XSS resulting from inline scripts, and foreignObject.
OWASP-ASVS v4.0.1 V5.2 Sanitization and Sandboxing Requirements.(5.2.8) Verify that the application sanitizes, disables, or sandboxes user-supplied scriptable or expression template language content, such as Markdown, CSS or XSL stylesheets, BBCode, or similar.
PCI DSS v3.2.1 - Requirement 6.5.1 Address common coding vulnerabilities in software-development processes such as injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.
PCI DSS v3.2.1 - Requirement 6.5.7 Address common coding vulnerabilities in software-development processes such as cross-site scripting (XSS).