F01 Foot-gun APIs

What this means

SiteShadow flagged use of APIs that are *easy to use unsafely*—especially when any part of the input could be attacker-controlled (dynamic evaluation, unsafe deserialization, dynamic imports).

Why it matters

These APIs can execute attacker-controlled code or load attacker-controlled payloads. When fed untrusted input, they are a common source of remote code execution.

• Even "internal-only" features can become exposed later (webhooks, admin tools, background jobs).
• The exploit path is often short: untrusted input → dangerous API → RCE/data compromise.

Safer examples

1) Avoid dynamic evaluation (eval, Function, etc.)

// Bad: eval(userInput)
// Good: parse/validate a known format
const n = Number.parseInt(userInput, 10);
if (!Number.isFinite(n)) throw new Error("Invalid number");

2) Avoid unsafe deserialization

Prefer safe formats (JSON) and strict schemas over native object deserialization.

import json
data = json.loads(payload)  # still validate schema/shape

3) Use allowlists for dynamic behavior

If you need "dynamic," map a safe key to known implementations.

handlers = {"pdf": handle_pdf, "csv": handle_csv}
handler = handlers.get(kind)
if not handler:
    raise ValueError("Unsupported kind")
handler(input)

How SiteShadow detects it (high level)

• Flags known high-risk APIs (dynamic eval, unsafe deserialization, shell execution).
• Prioritizes cases where inputs appear untrusted (request/body/query/env/network).

References

• CWE-94: https://cwe.mitre.org/data/definitions/94.html
• CWE-502: https://cwe.mitre.org/data/definitions/502.html

---

← Back to Vulnerability Library